<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>TechieRoop</title>
	<atom:link href="https://techieroop.com/feed/" rel="self" type="application/rss+xml" />
	<link>https://techieroop.com</link>
	<description>Navigating the Future of DevOps &#38; MLOps</description>
	<lastBuildDate>Wed, 27 May 2026 04:57:41 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://i0.wp.com/techieroop.com/wp-content/uploads/2021/04/cropped-android-chrome-512x512-1.png?fit=32%2C32&#038;ssl=1</url>
	<title>TechieRoop</title>
	<link>https://techieroop.com</link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">192312049</site>	<item>
		<title>Does sensitive = true Fully Protect Your Data in Terraform?</title>
		<link>https://techieroop.com/does-sensitive-true-fully-protect-your-data-in-terraform/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=does-sensitive-true-fully-protect-your-data-in-terraform</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:41 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/does-sensitive-true-fully-protect-your-data-in-terraform/</guid>

					<description><![CDATA[<p>Does sensitive = true Fully Protect Your Data in Terraform? Marking a Terraform variable or output as sensitive = true is a useful safety measure, but it is widely misunderstood. It does not provide complete protection for your secrets. Here is exactly what it does and does not do. What [&#8230;]</p>
<p>The post <a href="https://techieroop.com/does-sensitive-true-fully-protect-your-data-in-terraform/">Does sensitive = true Fully Protect Your Data in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>Does sensitive = true Fully Protect Your Data in Terraform?</h2>
<p>Marking a Terraform variable or output as <code>sensitive = true</code> is a useful safety measure, but it is widely misunderstood. It does <strong>not</strong> provide complete protection for your secrets. Here is exactly what it does and does not do.</p>
<h3>What sensitive = true Does</h3>
<pre><code>variable "db_password" {
  type      = string
  sensitive = true
}

output "db_connection_string" {
  value     = "postgres://admin:${var.db_password}@${aws_db_instance.main.endpoint}/app"
  sensitive = true
}
</code></pre>
<p>When marked sensitive, Terraform will:</p>
<ul>
<li>Mask the value in <code>terraform plan</code> and <code>terraform apply</code> output as <code>(sensitive value)</code>.</li>
<li>Suppress the value in <code>terraform output</code> unless you use <code>-json</code> or <code>-raw</code>.</li>
<li>Prevent the value from appearing in regular log output.</li>
</ul>
<pre><code># Plan output with sensitive = true
+ password = (sensitive value)   # Value is hidden in terminal
</code></pre>
<h3>What sensitive = true Does NOT Do</h3>
<p>This is the critical part most engineers miss:</p>
<ul>
<li>It does <strong>NOT</strong> encrypt the value in the state file.</li>
<li>It does <strong>NOT</strong> prevent the value from being read with <code>terraform state pull</code>.</li>
<li>It does <strong>NOT</strong> remove the value from the <code>.tfstate</code> file on disk.</li>
</ul>
<pre><code># The password is stored in CLEARTEXT inside terraform.tfstate
{
  "resources": [
    {
      "instances": [
        {
          "attributes": {
            "password": "SuperSecretPassword123!"  # Fully visible in state file!
          }
        }
      ]
    }
  ]
}
</code></pre>
<h3>How to Truly Secure Sensitive Data</h3>
<p><strong>1. Use a Remote Backend with Encryption at Rest</strong></p>
<pre><code>terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true          # Server-side encryption
    kms_key_id     = "arn:aws:kms:us-east-1:123456789:key/abc-123"  # KMS key
    dynamodb_table = "terraform-lock"
  }
}
</code></pre>
<p><strong>2. Restrict Access to the State File</strong></p>
<pre><code># S3 bucket policy — restrict to only Terraform IAM role
{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::my-terraform-state/*",
  "Condition": {
    "StringNotEquals": {
      "aws:PrincipalArn": "arn:aws:iam::123456789:role/terraform-role"
    }
  }
}
</code></pre>
<p><strong>3. Avoid Storing Secrets in State at All</strong></p>
<pre><code># Use a data source to fetch secrets at apply time instead of storing them
data "aws_secretsmanager_secret_version" "db_pass" {
  secret_id = "prod/db/password"
}
</code></pre>
<h3>Key Takeaway</h3>
<p><code>sensitive = true</code> only masks values in CLI output and logs — it is a display-layer protection, not encryption. The secret is still stored as cleartext in your state file. For true security, use a remote backend with KMS encryption, restrict state file access via IAM policies, and source secrets from a secret manager at apply time.</p><p>The post <a href="https://techieroop.com/does-sensitive-true-fully-protect-your-data-in-terraform/">Does sensitive = true Fully Protect Your Data in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1474</post-id>	</item>
		<item>
		<title>How to Migrate Terraform State from Local to a Remote Backend</title>
		<link>https://techieroop.com/how-to-migrate-terraform-state-from-local-to-a-remote-backend/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=how-to-migrate-terraform-state-from-local-to-a-remote-backend</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:40 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/how-to-migrate-terraform-state-from-local-to-a-remote-backend/</guid>

					<description><![CDATA[<p>How to Migrate Terraform State from Local to a Remote Backend When you first start with Terraform, state is stored locally in terraform.tfstate. As your team grows, you need to migrate to a remote backend for collaboration, security, and state locking. Why Migrate to a Remote Backend? Enables team collaboration [&#8230;]</p>
<p>The post <a href="https://techieroop.com/how-to-migrate-terraform-state-from-local-to-a-remote-backend/">How to Migrate Terraform State from Local to a Remote Backend</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>How to Migrate Terraform State from Local to a Remote Backend</h2>
<p>When you first start with Terraform, state is stored locally in <code>terraform.tfstate</code>. As your team grows, you need to migrate to a remote backend for collaboration, security, and state locking.</p>
<h3>Why Migrate to a Remote Backend?</h3>
<ul>
<li>Enables team collaboration — everyone shares the same state.</li>
<li>Prevents concurrent apply conflicts with state locking.</li>
<li>Keeps secrets out of your local machine and version control.</li>
<li>Enables versioning, encryption at rest, and audit logs.</li>
</ul>
<h3>Step 1: Create the Remote Backend Infrastructure</h3>
<p>First, provision the S3 bucket and DynamoDB table for state storage and locking:</p>
<pre><code># Create S3 bucket (do this manually or with a separate Terraform config)
aws s3api create-bucket \
  --bucket my-terraform-state \
  --region us-east-1

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket my-terraform-state \
  --versioning-configuration Status=Enabled

# Create DynamoDB table for state locking
aws dynamodb create-table \
  --table-name terraform-state-lock \
  --attribute-definitions AttributeName=LockID,AttributeType=S \
  --key-schema AttributeName=LockID,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST
</code></pre>
<h3>Step 2: Add the Backend Block to Your Config</h3>
<pre><code>terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"
  }
}
</code></pre>
<h3>Step 3: Run terraform init to Trigger Migration</h3>
<pre><code>terraform init
</code></pre>
<p>Terraform detects that the backend has changed and prompts:</p>
<pre><code>Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous backend.
  Enter "yes" to copy this state to the new backend.

Enter a value: yes
</code></pre>
<p>Type <code>yes</code> and Terraform automatically copies your local state to the remote backend.</p>
<h3>Step 4: Verify the Migration</h3>
<pre><code># Confirm remote state is accessible
terraform state list

# Check the remote state file in S3
aws s3 ls s3://my-terraform-state/prod/
</code></pre>
<h3>Step 5: Clean Up Local State</h3>
<p>After verifying the migration was successful, remove the local state file:</p>
<pre><code># Keep a backup first
cp terraform.tfstate terraform.tfstate.backup

# Remove local state (remote is now the source of truth)
rm terraform.tfstate
rm terraform.tfstate.backup
</code></pre>
<h3>Key Takeaway</h3>
<p>Migrating to a remote backend is a three-step process: add the backend block, run <code>terraform init</code>, and confirm the migration prompt. Always verify state integrity afterward and enable versioning on your S3 bucket before migrating.</p><p>The post <a href="https://techieroop.com/how-to-migrate-terraform-state-from-local-to-a-remote-backend/">How to Migrate Terraform State from Local to a Remote Backend</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1473</post-id>	</item>
		<item>
		<title>Terraform create_before_destroy Lifecycle Rule Explained</title>
		<link>https://techieroop.com/terraform-create_before_destroy-lifecycle-rule-explained/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=terraform-create_before_destroy-lifecycle-rule-explained</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:40 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/terraform-create_before_destroy-lifecycle-rule-explained/</guid>

					<description><![CDATA[<p>Terraform create_before_destroy Lifecycle Rule Explained When Terraform needs to replace a resource (destroy and recreate), it follows a specific order. Understanding the create_before_destroy lifecycle rule helps you avoid downtime during infrastructure updates. Default Behavior: Destroy Then Create By default, when a resource needs to be replaced, Terraform: Destroys the old [&#8230;]</p>
<p>The post <a href="https://techieroop.com/terraform-create_before_destroy-lifecycle-rule-explained/">Terraform create_before_destroy Lifecycle Rule Explained</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>Terraform create_before_destroy Lifecycle Rule Explained</h2>
<p>When Terraform needs to replace a resource (destroy and recreate), it follows a specific order. Understanding the <code>create_before_destroy</code> lifecycle rule helps you avoid downtime during infrastructure updates.</p>
<h3>Default Behavior: Destroy Then Create</h3>
<p>By default, when a resource needs to be replaced, Terraform:</p>
<ol>
<li>Destroys the old resource.</li>
<li>Creates the new resource.</li>
</ol>
<p>This causes a window of downtime where neither the old nor new resource exists.</p>
<h3>create_before_destroy: Create Then Destroy</h3>
<p>With <code>create_before_destroy = true</code>, Terraform reverses the order:</p>
<ol>
<li>Creates the new resource first.</li>
<li>Waits for it to be fully operational.</li>
<li>Destroys the old resource.</li>
</ol>
<pre><code>resource "aws_instance" "web" {
  ami           = var.ami_id
  instance_type = "t3.micro"

  lifecycle {
    create_before_destroy = true
  }
}
</code></pre>
<h3>Real-World Example: Auto Scaling Launch Template</h3>
<pre><code>resource "aws_launch_template" "app" {
  name_prefix   = "app-"
  image_id      = var.ami_id
  instance_type = "t3.micro"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_autoscaling_group" "app" {
  launch_template {
    id      = aws_launch_template.app.id
    version = "$Latest"
  }
  min_size         = 2
  max_size         = 5
  desired_capacity = 2
}
</code></pre>
<p>When the AMI is updated, a new launch template is created before the old one is removed, ensuring the ASG always has a valid template.</p>
<h3>Example: TLS Certificate Rotation</h3>
<pre><code>resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}
</code></pre>
<p>The new certificate is issued and validated before the old one is deleted, preventing HTTPS downtime.</p>
<h3>Other Useful Lifecycle Rules</h3>
<pre><code>lifecycle {
  create_before_destroy = true   # Create new before destroying old
  prevent_destroy       = true   # Block any destroy operation (great for databases)
  ignore_changes        = [tags] # Ignore drift in specific attributes
}
</code></pre>
<h3>Key Takeaway</h3>
<p>Always use <code>create_before_destroy = true</code> for production resources where availability matters — load balancers, certificates, launch templates, and DNS records. Pair it with <code>prevent_destroy = true</code> on critical resources like databases to add an extra safety net.</p><p>The post <a href="https://techieroop.com/terraform-create_before_destroy-lifecycle-rule-explained/">Terraform create_before_destroy Lifecycle Rule Explained</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1472</post-id>	</item>
		<item>
		<title>What is the Purpose of a null_resource in Terraform?</title>
		<link>https://techieroop.com/what-is-the-purpose-of-a-null_resource-in-terraform/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=what-is-the-purpose-of-a-null_resource-in-terraform</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:39 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/what-is-the-purpose-of-a-null_resource-in-terraform/</guid>

					<description><![CDATA[<p>What is the Purpose of a null_resource in Terraform? A null_resource is a special Terraform resource that does not manage any real cloud infrastructure. Instead, it acts as a placeholder to trigger side effects — like running scripts or commands — at the right point in the Terraform lifecycle. When [&#8230;]</p>
<p>The post <a href="https://techieroop.com/what-is-the-purpose-of-a-null_resource-in-terraform/">What is the Purpose of a null_resource in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>What is the Purpose of a null_resource in Terraform?</h2>
<p>A <code>null_resource</code> is a special Terraform resource that does not manage any real cloud infrastructure. Instead, it acts as a placeholder to trigger side effects — like running scripts or commands — at the right point in the Terraform lifecycle.</p>
<h3>When to Use null_resource</h3>
<p>Use it when you need to:</p>
<ul>
<li>Run a local or remote script after certain infrastructure is ready.</li>
<li>Execute a command that does not map to a Terraform resource.</li>
<li>Trigger actions based on changes to other resources.</li>
</ul>
<h3>Basic Example: Run a Local Script</h3>
<pre><code>resource "null_resource" "run_setup_script" {
  provisioner "local-exec" {
    command = "bash ./scripts/setup.sh"
  }

  depends_on = [aws_instance.web]
}
</code></pre>
<p>This runs <code>setup.sh</code> on your local machine after the EC2 instance is created.</p>
<h3>Using triggers to Re-run on Change</h3>
<p>By default, a <code>null_resource</code> only runs once. Use <code>triggers</code> to re-execute it when a value changes:</p>
<pre><code>resource "null_resource" "redeploy_app" {
  triggers = {
    app_version = var.app_version
    instance_id = aws_instance.web.id
  }

  provisioner "local-exec" {
    command = "ansible-playbook -i '${aws_instance.web.public_ip},' deploy.yml"
  }
}
</code></pre>
<p>Every time <code>app_version</code> or the instance ID changes, this resource will be destroyed and recreated, triggering the provisioner again.</p>
<h3>Remote Execution with remote-exec</h3>
<pre><code>resource "null_resource" "configure_server" {
  connection {
    type        = "ssh"
    user        = "ubuntu"
    private_key = file("~/.ssh/id_rsa")
    host        = aws_instance.web.public_ip
  }

  provisioner "remote-exec" {
    inline = [
      "sudo apt-get update -y",
      "sudo apt-get install -y nginx",
      "sudo systemctl start nginx"
    ]
  }

  depends_on = [aws_instance.web]
}
</code></pre>
<h3>Modern Alternative: terraform_data (Terraform 1.4+)</h3>
<pre><code># null_resource is being replaced by terraform_data in newer versions
resource "terraform_data" "run_script" {
  triggers_replace = [var.app_version]

  provisioner "local-exec" {
    command = "echo Deploying version ${var.app_version}"
  }
}
</code></pre>
<h3>Key Takeaway</h3>
<p><code>null_resource</code> is your escape hatch for actions Terraform cannot model as a resource. Use it sparingly with provisioners for bootstrapping or triggering scripts. For Terraform 1.4 and above, prefer the built-in <code>terraform_data</code> resource instead.</p><p>The post <a href="https://techieroop.com/what-is-the-purpose-of-a-null_resource-in-terraform/">What is the Purpose of a null_resource in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1471</post-id>	</item>
		<item>
		<title>How to Handle Secrets in Terraform Without Hardcoding Them</title>
		<link>https://techieroop.com/how-to-handle-secrets-in-terraform-without-hardcoding-them/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=how-to-handle-secrets-in-terraform-without-hardcoding-them</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:38 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/how-to-handle-secrets-in-terraform-without-hardcoding-them/</guid>

					<description><![CDATA[<p>How to Handle Secrets in Terraform Without Hardcoding Them Hardcoding secrets like passwords, API keys, or tokens directly in .tf files is a critical security mistake. This guide covers the right ways to manage secrets in Terraform. What NOT to Do # NEVER do this — secrets committed to version [&#8230;]</p>
<p>The post <a href="https://techieroop.com/how-to-handle-secrets-in-terraform-without-hardcoding-them/">How to Handle Secrets in Terraform Without Hardcoding Them</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>How to Handle Secrets in Terraform Without Hardcoding Them</h2>
<p>Hardcoding secrets like passwords, API keys, or tokens directly in <code>.tf</code> files is a critical security mistake. This guide covers the right ways to manage secrets in Terraform.</p>
<h3>What NOT to Do</h3>
<pre><code># NEVER do this — secrets committed to version control
resource "aws_db_instance" "main" {
  username = "admin"
  password = "SuperSecretPassword123!"  # BAD
}
</code></pre>
<h3>Option 1: Environment Variables with TF_VAR_</h3>
<p>Terraform reads environment variables prefixed with <code>TF_VAR_</code> and maps them to input variables.</p>
<pre><code># In your shell or CI/CD pipeline
export TF_VAR_db_password="SuperSecretPassword123!"

# In variables.tf
variable "db_password" {
  type      = string
  sensitive = true
}

# In main.tf
resource "aws_db_instance" "main" {
  username = "admin"
  password = var.db_password
}
</code></pre>
<h3>Option 2: Mark Variables as sensitive</h3>
<pre><code>variable "api_key" {
  type      = string
  sensitive = true  # Masks value in CLI output and logs
}
</code></pre>
<p>Note: This masks the value in terminal output but does NOT encrypt it in the state file.</p>
<h3>Option 3: HashiCorp Vault (Most Secure)</h3>
<pre><code>provider "vault" {
  address = "https://vault.mycompany.com"
}

data "vault_generic_secret" "db_creds" {
  path = "secret/database/prod"
}

resource "aws_db_instance" "main" {
  username = data.vault_generic_secret.db_creds.data["username"]
  password = data.vault_generic_secret.db_creds.data["password"]
}
</code></pre>
<h3>Option 4: AWS Secrets Manager</h3>
<pre><code>data "aws_secretsmanager_secret_version" "db_pass" {
  secret_id = "prod/app/db_password"
}

resource "aws_db_instance" "main" {
  password = data.aws_secretsmanager_secret_version.db_pass.secret_string
}
</code></pre>
<h3>Option 5: .tfvars Files (Keep Out of Git)</h3>
<pre><code># terraform.tfvars — ADD THIS TO .gitignore
db_password = "SuperSecretPassword123!"
</code></pre>
<pre><code># .gitignore
*.tfvars
*.tfvars.json
</code></pre>
<h3>Key Takeaway</h3>
<p>Never store secrets in <code>.tf</code> files or commit them to version control. Use <code>TF_VAR_</code> environment variables for simple cases, and HashiCorp Vault or cloud-native secret managers (AWS Secrets Manager, Azure Key Vault) for production workloads.</p><p>The post <a href="https://techieroop.com/how-to-handle-secrets-in-terraform-without-hardcoding-them/">How to Handle Secrets in Terraform Without Hardcoding Them</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1470</post-id>	</item>
		<item>
		<title>Terraform Workspaces vs Separate Directories: Which is Better for Dev/Prod?</title>
		<link>https://techieroop.com/terraform-workspaces-vs-separate-directories-which-is-better-for-dev-prod/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=terraform-workspaces-vs-separate-directories-which-is-better-for-dev-prod</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:38 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/terraform-workspaces-vs-separate-directories-which-is-better-for-dev-prod/</guid>

					<description><![CDATA[<p>Terraform Workspaces vs Separate Directories: Which is Better for Dev/Prod? Managing multiple environments like Dev, Staging, and Production is one of the most common Terraform challenges. You have two main approaches: Workspaces and Separate Directories. Here is how they differ and when to use each. Terraform Workspaces Workspaces allow multiple [&#8230;]</p>
<p>The post <a href="https://techieroop.com/terraform-workspaces-vs-separate-directories-which-is-better-for-dev-prod/">Terraform Workspaces vs Separate Directories: Which is Better for Dev/Prod?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>Terraform Workspaces vs Separate Directories: Which is Better for Dev/Prod?</h2>
<p>Managing multiple environments like Dev, Staging, and Production is one of the most common Terraform challenges. You have two main approaches: <strong>Workspaces</strong> and <strong>Separate Directories</strong>. Here is how they differ and when to use each.</p>
<h3>Terraform Workspaces</h3>
<p>Workspaces allow multiple state files within the same backend configuration.</p>
<pre><code># Create and switch to a dev workspace
terraform workspace new dev
terraform workspace select dev

# Create a prod workspace
terraform workspace new prod
terraform workspace select prod

# Reference workspace in config
resource "aws_instance" "web" {
  instance_type = terraform.workspace == "prod" ? "t3.large" : "t2.micro"
  ami           = "ami-0c55b159cbfafe1f0"
}
</code></pre>
<p>All workspaces share the same backend and the same <code>.tf</code> files. The only difference is the state file path.</p>
<h3>Problems with Workspaces for Prod/Dev Isolation</h3>
<ul>
<li>A <code>terraform apply</code> in the wrong workspace can affect the wrong environment.</li>
<li>All environments share the same backend — no true isolation.</li>
<li>Config differences between environments bloat the code with conditionals.</li>
<li>Not recommended by HashiCorp for strong environment isolation.</li>
</ul>
<h3>Separate Directories (Recommended)</h3>
<pre><code>infrastructure/
├── environments/
│   ├── dev/
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── backend.tf      # Points to dev S3 bucket
│   ├── staging/
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── backend.tf      # Points to staging S3 bucket
│   └── prod/
│       ├── main.tf
│       ├── variables.tf
│       └── backend.tf      # Points to prod S3 bucket
└── modules/
    ├── networking/
    └── compute/
</code></pre>
<p>Each environment has its own backend, state file, and configuration. Shared logic lives in reusable modules.</p>
<h3>Comparison Table</h3>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Workspaces</th>
<th>Separate Directories</th>
</tr>
</thead>
<tbody>
<tr>
<td>State isolation</td>
<td>Partial (same backend)</td>
<td>Full (separate backends)</td>
</tr>
<tr>
<td>Accidental prod changes</td>
<td>Higher risk</td>
<td>Lower risk</td>
</tr>
<tr>
<td>Config differences</td>
<td>Managed via conditionals</td>
<td>Separate var files</td>
</tr>
<tr>
<td>Recommended for Prod</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Good for</td>
<td>Testing, temporary envs</td>
<td>Long-lived environments</td>
</tr>
</tbody>
</table>
<h3>Key Takeaway</h3>
<p>Use <strong>separate directories with separate backends</strong> for long-lived environments like Dev and Prod. Use workspaces only for short-lived or experimental environments where strong isolation is not needed.</p><p>The post <a href="https://techieroop.com/terraform-workspaces-vs-separate-directories-which-is-better-for-dev-prod/">Terraform Workspaces vs Separate Directories: Which is Better for Dev/Prod?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1469</post-id>	</item>
		<item>
		<title>What Happens If You Manually Delete a Resource in the Cloud Console?</title>
		<link>https://techieroop.com/what-happens-if-you-manually-delete-a-resource-in-the-cloud-console/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=what-happens-if-you-manually-delete-a-resource-in-the-cloud-console</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:37 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/what-happens-if-you-manually-delete-a-resource-in-the-cloud-console/</guid>

					<description><![CDATA[<p>What Happens If You Manually Delete a Resource in the Cloud Console? Manually deleting a cloud resource outside of Terraform — such as via the AWS Console, Azure Portal, or GCP Console — creates a situation called configuration drift. Understanding how Terraform handles this is critical for maintaining infrastructure integrity. [&#8230;]</p>
<p>The post <a href="https://techieroop.com/what-happens-if-you-manually-delete-a-resource-in-the-cloud-console/">What Happens If You Manually Delete a Resource in the Cloud Console?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>What Happens If You Manually Delete a Resource in the Cloud Console?</h2>
<p>Manually deleting a cloud resource outside of Terraform — such as via the AWS Console, Azure Portal, or GCP Console — creates a situation called <strong>configuration drift</strong>. Understanding how Terraform handles this is critical for maintaining infrastructure integrity.</p>
<h3>What is Configuration Drift?</h3>
<p>Drift occurs when the real-world state of your infrastructure differs from what Terraform&#8217;s state file records. The state file still believes the resource exists, but the cloud provider no longer has it.</p>
<h3>What Terraform Does on the Next Plan</h3>
<p>When you run <code>terraform plan</code> after a manual deletion, Terraform will:</p>
<ol>
<li>Refresh the state by querying the cloud provider.</li>
<li>Detect that the resource is gone from the provider.</li>
<li>Propose to <strong>recreate</strong> the resource to match your configuration.</li>
</ol>
<pre><code># Example terraform plan output after manual deletion

# aws_instance.web will be created
+ resource "aws_instance" "web" {
    + ami           = "ami-0c55b159cbfafe1f0"
    + instance_type = "t2.micro"
    ...
  }

Plan: 1 to add, 0 to change, 0 to destroy.
</code></pre>
<h3>How to Detect Drift Without Planning</h3>
<pre><code># Refresh state to detect drift without making changes
terraform refresh

# Or use plan with refresh only (Terraform 1.1+)
terraform plan -refresh-only
</code></pre>
<h3>Options After Detecting Drift</h3>
<p><strong>Option 1: Let Terraform recreate it</strong> — just run <code>terraform apply</code> and the resource comes back.</p>
<p><strong>Option 2: Accept the deletion</strong> — remove it from your <code>.tf</code> files and run <code>terraform state rm</code> to remove it from state without recreating it.</p>
<pre><code># Remove from state without destroying (resource is already gone)
terraform state rm aws_instance.web
</code></pre>
<p><strong>Option 3: Import it back</strong> — if you recreated it manually and want Terraform to manage the new one:</p>
<pre><code>terraform import aws_instance.web i-0newinstanceid123
</code></pre>
<h3>Best Practice: Never Modify Terraform-Managed Resources Manually</h3>
<p>The golden rule: if Terraform manages it, all changes must go through Terraform. Manual changes bypass the plan/apply review cycle and can lead to unintended infrastructure states.</p>
<h3>Key Takeaway</h3>
<p>Manually deleting a resource causes drift. Terraform detects it on the next <code>plan</code> and proposes recreation. Use <code>terraform plan -refresh-only</code> regularly in production environments to catch drift before it causes problems.</p><p>The post <a href="https://techieroop.com/what-happens-if-you-manually-delete-a-resource-in-the-cloud-console/">What Happens If You Manually Delete a Resource in the Cloud Console?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1468</post-id>	</item>
		<item>
		<title>When Should You Explicitly Use depends_on in Terraform?</title>
		<link>https://techieroop.com/when-should-you-explicitly-use-depends_on-in-terraform/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=when-should-you-explicitly-use-depends_on-in-terraform</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:36 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/when-should-you-explicitly-use-depends_on-in-terraform/</guid>

					<description><![CDATA[<p>When Should You Explicitly Use depends_on in Terraform? Terraform automatically builds a dependency graph by analyzing resource references in your code. In most cases, you never need to declare dependencies manually. But there are specific scenarios where depends_on is necessary. How Implicit Dependencies Work When one resource references another, Terraform [&#8230;]</p>
<p>The post <a href="https://techieroop.com/when-should-you-explicitly-use-depends_on-in-terraform/">When Should You Explicitly Use depends_on in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>When Should You Explicitly Use depends_on in Terraform?</h2>
<p>Terraform automatically builds a dependency graph by analyzing resource references in your code. In most cases, you never need to declare dependencies manually. But there are specific scenarios where <code>depends_on</code> is necessary.</p>
<h3>How Implicit Dependencies Work</h3>
<p>When one resource references another, Terraform infers the dependency automatically:</p>
<pre><code>resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "public" {
  vpc_id     = aws_vpc.main.id   # Implicit dependency — Terraform knows VPC must exist first
  cidr_block = "10.0.1.0/24"
}
</code></pre>
<h3>When Implicit Dependencies Are NOT Enough</h3>
<p>Use <code>depends_on</code> when a resource relies on another that it does not directly reference in code. The most common example: an application server that needs a database to be fully initialized, but shares no configuration values with it.</p>
<pre><code>resource "aws_db_instance" "postgres" {
  identifier        = "my-app-db"
  engine            = "postgres"
  instance_class    = "db.t3.micro"
  allocated_storage = 20
  username          = "admin"
  password          = var.db_password
}

resource "aws_instance" "app_server" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  # No direct reference to the DB, but the app needs it running first
  depends_on = [aws_db_instance.postgres]
}
</code></pre>
<h3>depends_on with Modules</h3>
<p><code>depends_on</code> can also be applied to entire modules:</p>
<pre><code>module "database" {
  source = "./modules/database"
}

module "application" {
  source     = "./modules/application"
  depends_on = [module.database]
}
</code></pre>
<h3>depends_on with IAM Policies</h3>
<p>A classic use case — an EC2 instance needing an IAM policy to be attached before it starts:</p>
<pre><code>resource "aws_iam_role_policy_attachment" "s3_access" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

resource "aws_instance" "worker" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_profile.name

  depends_on = [aws_iam_role_policy_attachment.s3_access]
}
</code></pre>
<h3>Key Takeaway</h3>
<p>Use <code>depends_on</code> only when a hidden dependency exists that Terraform cannot detect through resource attribute references. Overusing it adds unnecessary coupling — rely on implicit dependencies wherever possible.</p><p>The post <a href="https://techieroop.com/when-should-you-explicitly-use-depends_on-in-terraform/">When Should You Explicitly Use depends_on in Terraform?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1467</post-id>	</item>
		<item>
		<title>How to Recover from a Corrupted Terraform State File</title>
		<link>https://techieroop.com/how-to-recover-from-a-corrupted-terraform-state-file/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=how-to-recover-from-a-corrupted-terraform-state-file</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:35 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/how-to-recover-from-a-corrupted-terraform-state-file/</guid>

					<description><![CDATA[<p>How to Recover from a Corrupted Terraform State File The Terraform state file (terraform.tfstate) is the single source of truth for your managed infrastructure. A corrupted or lost state file is one of the most critical incidents you can face. Here is how to handle it. Prevention First: Enable Remote [&#8230;]</p>
<p>The post <a href="https://techieroop.com/how-to-recover-from-a-corrupted-terraform-state-file/">How to Recover from a Corrupted Terraform State File</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>How to Recover from a Corrupted Terraform State File</h2>
<p>The Terraform state file (<code>terraform.tfstate</code>) is the single source of truth for your managed infrastructure. A corrupted or lost state file is one of the most critical incidents you can face. Here is how to handle it.</p>
<h3>Prevention First: Enable Remote Backend with Versioning</h3>
<p>The best recovery strategy is prevention. Always use a remote backend (like AWS S3) with versioning enabled.</p>
<pre><code>terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"

    # Enable versioning on the S3 bucket in AWS console or via config
  }
}
</code></pre>
<p>With versioning enabled, you can roll back to a previous healthy state in seconds.</p>
<h3>Recovery Option 1: Restore from Version History</h3>
<p>If you are using S3 with versioning:</p>
<ol>
<li>Go to the S3 console and navigate to your state file.</li>
<li>Click <strong>Show versions</strong>.</li>
<li>Download a previous healthy version of the <code>.tfstate</code> file.</li>
<li>Upload it back to replace the corrupted one.</li>
<li>Run <code>terraform plan</code> to verify drift.</li>
</ol>
<h3>Recovery Option 2: Use terraform import</h3>
<p>If the state is completely lost with no backup, manually re-import each resource:</p>
<pre><code># Re-import an existing AWS EC2 instance into state
terraform import aws_instance.web i-0abc12345def67890

# Re-import an S3 bucket
terraform import aws_s3_bucket.data my-existing-bucket-name

# Re-import an RDS instance
terraform import aws_db_instance.postgres my-db-identifier
</code></pre>
<p>You will need to do this for every resource in your configuration, which is tedious but recoverable.</p>
<h3>Recovery Option 3: terraform state pull / push</h3>
<pre><code># Pull the current remote state locally
terraform state pull > backup.tfstate

# Push a fixed state back to remote
terraform state push fixed.tfstate
</code></pre>
<h3>Inspect and Fix State Manually</h3>
<pre><code># List all resources in state
terraform state list

# Show details of a specific resource
terraform state show aws_instance.web

# Remove a resource from state (without destroying it)
terraform state rm aws_instance.web
</code></pre>
<h3>Key Takeaway</h3>
<p>Always use a remote backend with versioning and state locking (DynamoDB for S3). If disaster strikes, restore from version history first. If no backup exists, use <code>terraform import</code> to rebuild the state resource by resource.</p><p>The post <a href="https://techieroop.com/how-to-recover-from-a-corrupted-terraform-state-file/">How to Recover from a Corrupted Terraform State File</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1466</post-id>	</item>
		<item>
		<title>Terraform count vs for_each: Which is Better for Dynamic Resources?</title>
		<link>https://techieroop.com/terraform-count-vs-for_each-which-is-better-for-dynamic-resources/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=terraform-count-vs-for_each-which-is-better-for-dynamic-resources</link>
		
		<dc:creator><![CDATA[Roopendra]]></dc:creator>
		<pubDate>Wed, 27 May 2026 04:57:33 +0000</pubDate>
				<category><![CDATA[Terraform]]></category>
		<guid isPermaLink="false">https://techieroop.com/terraform-count-vs-for_each-which-is-better-for-dynamic-resources/</guid>

					<description><![CDATA[<p>Terraform count vs for_each: Which is Better for Dynamic Resources? When creating multiple instances of a resource in Terraform, you have two options: count and for_each. Knowing when to use each one is a key concept for writing reliable, maintainable infrastructure code. Using count count creates resources using a numeric [&#8230;]</p>
<p>The post <a href="https://techieroop.com/terraform-count-vs-for_each-which-is-better-for-dynamic-resources/">Terraform count vs for_each: Which is Better for Dynamic Resources?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></description>
										<content:encoded><![CDATA[<h2>Terraform count vs for_each: Which is Better for Dynamic Resources?</h2>
<p>When creating multiple instances of a resource in Terraform, you have two options: <code>count</code> and <code>for_each</code>. Knowing when to use each one is a key concept for writing reliable, maintainable infrastructure code.</p>
<h3>Using count</h3>
<p><code>count</code> creates resources using a numeric index starting at 0. It is simple and works well for identical resources.</p>
<pre><code>resource "aws_instance" "server" {
  count         = 3
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  tags = {
    Name = "server-${count.index}"
  }
}
</code></pre>
<p>Resources are referenced as <code>aws_instance.server[0]</code>, <code>aws_instance.server[1]</code>, etc.</p>
<h3>The Problem with count</h3>
<p>If you remove an item from the middle of the list — say you delete index 1 — Terraform will shift all subsequent indices and <strong>recreate every resource after the deleted one</strong>. This is dangerous in production environments.</p>
<pre><code># Before: ["server-a", "server-b", "server-c"]
# After removing "server-b": ["server-a", "server-c"]
# Terraform will DESTROY server-c and RECREATE it as the new index 1!
</code></pre>
<h3>Using for_each (Recommended)</h3>
<p><code>for_each</code> uses a map or set of strings as unique keys, so each resource is tied to a stable identifier — not a fragile numeric index.</p>
<pre><code>variable "servers" {
  default = {
    "server-a" = "t2.micro"
    "server-b" = "t2.small"
    "server-c" = "t2.micro"
  }
}

resource "aws_instance" "server" {
  for_each      = var.servers
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = each.value

  tags = {
    Name = each.key
  }
}
</code></pre>
<p>Resources are referenced as <code>aws_instance.server["server-a"]</code>. Removing &#8220;server-b&#8221; only destroys that specific resource, leaving others untouched.</p>
<h3>for_each with a Set of Strings</h3>
<pre><code>resource "aws_iam_user" "devs" {
  for_each = toset(["alice", "bob", "charlie"])
  name     = each.key
}
</code></pre>
<h3>Quick Comparison</h3>
<table>
<thead>
<tr>
<th>Feature</th>
<th>count</th>
<th>for_each</th>
</tr>
</thead>
<tbody>
<tr>
<td>Index type</td>
<td>Numeric (0, 1, 2&#8230;)</td>
<td>String key (map/set)</td>
</tr>
<tr>
<td>Safe to delete middle item</td>
<td>No — causes recreation</td>
<td>Yes — only affects that item</td>
</tr>
<tr>
<td>Best for</td>
<td>Identical, fixed-count resources</td>
<td>Dynamic, uniquely-keyed resources</td>
</tr>
<tr>
<td>Reference syntax</td>
<td>resource[0]</td>
<td>resource[&#8220;key&#8221;]</td>
</tr>
</tbody>
</table>
<h3>Key Takeaway</h3>
<p>Prefer <code>for_each</code> over <code>count</code> for any resource list that may change over time. It provides stable, key-based identity and prevents unintended resource replacement when items are added or removed.</p><p>The post <a href="https://techieroop.com/terraform-count-vs-for_each-which-is-better-for-dynamic-resources/">Terraform count vs for_each: Which is Better for Dynamic Resources?</a> first appeared on <a href="https://techieroop.com">TechieRoop</a>.</p>]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">1465</post-id>	</item>
	</channel>
</rss>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/?utm_source=w3tc&utm_medium=footer_comment&utm_campaign=free_plugin

Page Caching using Disk: Enhanced (Page is feed) 
Lazy Loading (feed)
Minified using Disk
Database Caching 1/111 queries in 0.051 seconds using Disk

Served from: techieroop.com @ 2026-06-28 19:52:26 by W3 Total Cache
-->