Terraform: Self-Hosted Infrastructure as Code Without Cloud Lock-in Training Course

Infrastructure-as-Code Sovereignty for Government

• Examination of how cloud consoles and Software as a Service (SaaS) Infrastructure as Code (IaC) solutions can create vendor lock-in and audit gaps, particularly relevant for government agencies.
• Overview of Terraform architecture, including its core components, providers, state management, and the plan/apply workflow.
• Comparative analysis with other IaC tools such as Pulumi, Ansible, and CloudFormation, highlighting their respective strengths and weaknesses for government use cases.

Configuration Language and Providers for Government

• Detailed exploration of HashiCorp Configuration Language (HCL) syntax, covering resources, data sources, variables, and outputs.
• Examination of on-premise providers suitable for government environments, such as Proxmox, libvirt, vSphere, and PowerDNS.
• Overview of community providers and the basics of custom provider development to meet specific government requirements.
• Discussion of resource dependencies and their management using graph theory principles.

State Management for Government

• Analysis of security implications associated with local versus remote state management, particularly in the context of government data sovereignty.
• Review of self-hosted backend options such as PostgreSQL, S3 (MinIO), Gitea, and etcd for secure state storage.
• Examination of state locking mechanisms, encryption at rest, and backup strategies to ensure data integrity and compliance with government standards.
• Discussion of state migration processes and drift detection techniques to maintain consistent infrastructure configurations.

Modules and Workspaces for Government

• Detailed explanation of module structure, including inputs, outputs, and versioning practices to enhance reusability and scalability in government projects.
• Overview of private module registries using Git tags to manage and distribute modules securely within government organizations.
• Discussion of workspace isolation strategies for development, staging, and production environments to ensure robust testing and deployment processes.
• Evaluation of Terraform Cloud alternatives, such as self-hosted Atlantis or Spacelift, tailored to meet the specific needs of government agencies.

Provisioning and Lifecycle Management for Government

• Integration of cloud-init and PXE for bare-metal provisioning in government data centers.
• Overview of provisioners, including local-exec, remote-exec, and file operations, to facilitate custom resource management.
• Use of null resources and triggers to implement complex workflows tailored to government requirements.
• Strategies for destroy planning and resource tainting to ensure efficient and secure infrastructure decommissioning.

Security and Compliance for Government

• Techniques for variable validation and marking sensitive data to enhance security in government IaC practices.
• Exploration of policy-as-code alternatives such as Sentinel and Open Policy Agent (OPA) for on-premise environments, ensuring compliance with government regulations.
• Implementation of audit logging and plan file review processes to maintain transparency and accountability in government operations.

CI/CD Integration for Government

• Strategies for automating the plan/apply workflow using continuous integration and delivery (CI/CD) tools such as GitHub Actions or Woodpecker CI, tailored to government workflows.
• Use of Terraform fmt, validate, and lint in pre-commit hooks to ensure code quality and consistency.
• Techniques for cost estimation and the implementation of budget guardrails to manage financial constraints effectively.
• Rollback strategies and state recovery procedures to minimize downtime and maintain service availability in government environments.