Azure Logic App: Terraform not detecting changes - azure

Terraform is not detecting changes made manually in logic app workflow after its deployment. Is it me or this is not yet possible with terraform?
The goal would be to detect them and redeploy if necessary

Terraform uses state to keep track of the state of your cloud resources.
It does not query your cloud resources each time. Therefore, any changed made manually will not be overwritten at once.
If you make a change to your Terraform template, it will be reapplied and the manual changes will be lost.
https://www.terraform.io/language/state/purpose

Related

how to use terraformer to update the existing statefile incrementally

We are using Azure cloud platform and used Terraform to provision our resources using Azuredevops pipelines. So when we provisioned the resources we kept the statefiles resource wise(eg:ApIM, Appservice, AKS, Storage Accounts, etc..) and the statefiles where in sync with the actual resource.
But we have other ADO pipelines as part of our application releases, which are making some changes on the previous terraform built resources like (API creation and update, Tags update to resources, additional component creation to the base resource etc..). So those changes made our terraform states out of sync the actual resources and when we triggered the pipeline for terraform plan for those resources, number of changes are showing and some resources are showing to replace itself.
So, We need to make our existing resources statefile in sync with any kind of pipeline\manual changes from the portal and we have to follow the practice of incrementally updating the statefile.
So by searching in internet we found that we can achieve this using terraformer and planning to add a Pipeline for terraformer task that will update those changes to the existing statefiles for each resource (planning to schedule this pipeline weekly).
Is it possible to use terrafomer to make the incremental changes with both statefile and already used terraform manifests in sync.
Your using of Terraform for IaaC seems wrong. If you plan to deploy resources through terraform then those resources should not be modified by other external factors. If it does, then you lose one of terraform's key feature i.e, maintaining a state and updating the resources.
Terraformer is a completely different tool that is not suited for your direct usecase. It is used to generate tf files/state files for existing resources created via methods other than terraform (Eg: console)
My recommendation for you will be to go through the basics of terraform, Iaac and restructure your pipelines/architecture.
Below are some links that were helpful for me.
https://developer.hashicorp.com/terraform/language/state
https://www.terraform-best-practices.com/examples
https://developer.hashicorp.com/terraform/language/modules

How to recover Terraform state file

I am new to the Terraform world. I have started working on IaC for Azure using TF.
I have below three queries regarding using TF:
In case the state file gets accidentally deleted, is there a way to recover/recreate the state file from the current state of the Azure resources?
In the case of Azure, if one makes some direct changes to the Azure resources from the Azure portal, is there a way to retrofit those changes automatically into the Terraform .tf or state files?
Is there a way to generate terraform files for any existing Azure resources created directly from the portal?
In case the state file gets accidentally deleted, is there a way to recover/recreate the state file from the current state of the Azure resources?
You should configure Terraform to use a backend that saves every version of your state file, and makes it really difficult to delete the state file. If you are using Azure as the backend, then I believe that would mean enabling Blob versioning, and Soft delete for blobs.
Disclaimer: I don't use Azure, so there may be more to it than that. On AWS you would enable S3 bucket versioning and MFA delete, and the features I linked appear to be the Azure equivalent.
In the case of Azure, if one makes some direct changes to the Azure resources from the Azure portal, is there a way to retrofit those
changes automatically into the Terraform .tf or state files?
You would need to run terraform plan and examine the output to see how the current Azure resources differ from the Terraform configuration, then update your Terraform configuration until terraform plan says there are no changes.
Is there a way to generate terraform files for any existing Azure resources created directly from the portal?
There are some tools, like terraformer that attempt to do this, but in my experience they are always missing support for tons of features and generally don't work well at all.
First of all rules: Is mandatory to have a regular backup of your state file! Try to configure your Terraform backend in a remote place, like Google Cloud Storage
Answering your questions:
The process of recovering a deleted state file is never easy. You should import all the resources with terraform import. Check this document.
If someone changes a resource via the Azure portal and if you do a terraform plan in your environment, you should check that changes were done outside Terraform. Then you should update your code to match those changes, after applying your code.
To clarify, if someone changes your instance_type = c4.xlarge and you have at your code instance_type = t3.micro, if you apply your code, that change will be reverted so if you want to stay with instances with c4.xlarge you should change your code.
I don't use any kind of that tools but I can imagine that they exists.

CDK/Cloudformation shared state

Pretty new to CDK/Cloudformation, just moving from Terraform, and was wondering if CDK/Cloudformation have something similar to Terraform's remote state? Or some other way that different team members could work on updating the same AWS resources without need to destroy/recreate everything.
CDK is just a "wrapper" around CloudFormation, which means that AWS stores the state and manages your resources deployed using CDK.
Terraform does not use CloudFormation, thus it has to keep its own state. Also Terraform is cloud agnostic, so it manages state without needing to rely on any cloud resources, such as CloudFormation.
So no, CDK does not have its own state in the same sense as Terraform has.

Proper way to maintain azure resource manager template

I have arm template to recreate resource group with resources and their settings. This works fine.
Use case:
Some developer goes to azure portal and update some settings for some resource. Is there a way how to get exact changes that can be applied to my template to take these changes in effect? (Update template in source control)
If I go to automation script in resource group I can see all resources but my template in source control is different (parameters, conditions, variables, multiple templates linked together ...). I can't see on first look what changes were done and I can't use any diff.
Maybe I missed completely something but how are you solving this issue?
Thanks.
It is not easy to see any changes to resources by comparing templates from within the portal. Best practice is to always use ARM templates (and CI/CD pipelines) to deploy ARM templates to provision resources. Keep these ARM templates under source control to track them.
Further than that, I think you have two main options to track these changes:
1) You can use the Azure Activity Log to track the changes. The Azure Activity Log is a subscription log that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events.
2) Write a little intelligent code against the Management Plane API. A good starting point is https://resources.azure.com/subscriptions. You could write a little extract that pulls all your resources out daily and commits them to a git repo. This will only update for changes to templates. You can then analyse the delta as or when you need.
Conceptionally, the developer should never 'go[es] to azure portal and update some settings for some resource', except for his own development / unit testing work. He then should produce an updated ARM template for deployment in the TST etc environments, and document his unit-tested changes with the new template. If his update collides with your resources in TST he will probably come to you to explain his changes, and discuss the resolution.

How can I merge Terraform state drift back into configuration files?

I have a Terraform script which provisions AWS infrastructure with (among other things) a set of security groups.
Over time, these security groups have had a bunch of extra IP ranges added through the AWS console, so there's a drift between the .tf files and the real-world state.
Running terraform plan shows these differences, and wants to roll back to Terraform's configured state.
What I'd like to achieve is to (programmatically) update the .tf files' security group definition to reflect these additional IP ranges, bringing Terraform up-to-date and (hopefully) increasing the chances it'll be used to manage state changes in future.
That is a pending feature in Terraform: https://github.com/hashicorp/terraform/issues/15608
In that issue there are linked two projects that can help:
https://github.com/dtan4/terraforming
https://gitlab.com/Nowaker/terraform-import-as-hcl

Resources