Brain Phrye

code cooking diy fiction personal photos politics reviews tools 

Revisiting how to deploy ephemeral twitter

In my initial post on setting up my tweaks on Vicky Lai’s ephemeral, I made a manky shell script to do the deployment. I mainly did it because I was still a bit dubious about terraform.

However for the past year I’ve gotten way more comfortable with it and used it in anger loads of times. It works rather well and seems to be improving at a good clip. Think of it as make but for infrastructure. There is a problem though for this task.

The problem is that I normally deploy terraformed resources in a green field. Nothing exists. But in this case, everything existed.

The solution terraform has for this scenario is importing. However you need to import each resource piece by piece because it won’t write the terraform configs for you. You have to describe your deployment and then import them one resource at a time.

I’ll post later with the full terraform configs, but since I’d avoided the importing part of terraform for a long time I thought I’d write up the process. It’s tedious, but it isn’t hard.

Basically you identify a defined thing in AWS you want to import. Generally it’s pretty easy to figure out the corresponding resource(s) in the terraform AWS provider, but there can be different ways to define certain things like security groups or how policies attach to roles. If you’re struggling, keep that in mind - and the terraform AWS provider docs usually highlight that issue.

Since I had the manky shell script I could usually line up CLI options with the appropriate terraform resource attributes and make a stub. In the simple case of a role, you might have this:

resource "aws_iam_role" "twitter-ephemeral" {
  name               = "twitter-ephemeral"
  assume_role_policy = "${file("policy/twitter-ephemeral.json")}"

Note at this point you haven’t done an import yet. First you can do a plan to make sure terraform’s happy with the config. If you’ve defined it correctly, terraform plan will want to create aws_iam_role.twitter-ephemeral but obviously you don’t want that.

At this point you need to look at the docs for the resource you’re importing - in this case aws_iam_role - and scroll down to the bottom. The import instructions are always at the bottom. In this case you’d run:

terraform import aws_iam_role.twitter-ephemeral twitter-ephemeral

Now when you run terraform plan it should say that aws_iam_role.twitter-ephemeral exists and doesn’t need to be changed.

If it doesn’t, you need to review what it wants to change. It might be benign - maybe the original json file for the policy had a trailing space and this one does not. But it might mean that the resource isn’t correctly defined in terraform and you’ll need to fix it.

If you’ve defined the wrong thing and you have done an import, you can undo that by using terraform state rm to take it out of the state file.

It’s important to note that until you do terraform apply nothing changes in your AWS deployment. Removing thing from the state file only removes them from the terraform state file.

One thing to note is that aws things and terraform rosources do not always line up. I haven’t hit one yet, but there can be things that only exist in terraform and are just used as a glue in terraform for some AWS bits.

Anyway, still at it, one resource at a time. I’ll put up a post with a link to a gist when I have it working.