jaakko
1a58324689
- Uusi agentti: Tofuist (gecko-avatar, oranssinkulta #e3a336) - System prompt: HCL-koodi, moduulit, lifecycle, state encryption - docs-kenttä: lataa automaattisesti /docs/tofu-cheatsheet.md referenssiksi - kpnRun: tukee nyt agentin docs-kenttää (haetaan kerran, cachetetaan) - OpenTofu-dokumentaatio haettu GitHubista + tiivistetty cheatsheet - Avatar, gallery-head, värimapit ja pipeline-tuet lisätty Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
103 lines
2.4 KiB
Markdown
103 lines
2.4 KiB
Markdown
# OpenTofu Quick Reference
|
|
|
|
## Core Architecture
|
|
- Graph-based execution: resources form a DAG, parallel where possible
|
|
- Provider plugins communicate via gRPC (plugin protocol v5/v6)
|
|
- State tracks resource → real-world mapping (JSON format)
|
|
- Plan → Apply workflow: always preview before changing
|
|
|
|
## HCL Essentials
|
|
```hcl
|
|
terraform {
|
|
required_providers {
|
|
aws = { source = "hashicorp/aws", version = "~> 5.0" }
|
|
}
|
|
}
|
|
|
|
provider "aws" { region = "eu-north-1" }
|
|
|
|
resource "aws_instance" "web" {
|
|
ami = "ami-0c55b159cbfafe1f0"
|
|
instance_type = "t3.micro"
|
|
tags = { Name = "web-server" }
|
|
}
|
|
|
|
variable "env" {
|
|
type = string
|
|
default = "dev"
|
|
}
|
|
|
|
output "ip" { value = aws_instance.web.public_ip }
|
|
|
|
data "aws_ami" "latest" {
|
|
most_recent = true
|
|
owners = ["amazon"]
|
|
filter {
|
|
name = "name"
|
|
values = ["al2023-ami-*-x86_64"]
|
|
}
|
|
}
|
|
```
|
|
|
|
## Resource Lifecycle
|
|
- create_before_destroy: new resource before destroying old
|
|
- prevent_destroy: block accidental deletion
|
|
- ignore_changes: skip drift on specified attributes
|
|
- replace_triggered_by: force replacement when dependency changes
|
|
|
|
## Destroy Order
|
|
- Destroy runs in reverse dependency order
|
|
- ForceDestroy needed for resources with dependencies
|
|
- Deposed instances cleaned up automatically
|
|
|
|
## State Encryption (OpenTofu-specific)
|
|
```hcl
|
|
terraform {
|
|
encryption {
|
|
key_provider "pbkdf2" "main" {
|
|
passphrase = var.state_passphrase
|
|
}
|
|
method "aes_gcm" "main" {
|
|
keys = key_provider.pbkdf2.main
|
|
}
|
|
state {
|
|
method = method.aes_gcm.main
|
|
enforced = true
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Module Structure
|
|
```
|
|
modules/
|
|
vpc/
|
|
main.tf
|
|
variables.tf
|
|
outputs.tf
|
|
app/
|
|
main.tf
|
|
variables.tf
|
|
outputs.tf
|
|
main.tf # root module
|
|
variables.tf
|
|
outputs.tf
|
|
terraform.tfvars
|
|
```
|
|
|
|
## Key Commands
|
|
- tofu init: initialize providers and modules
|
|
- tofu plan: preview changes
|
|
- tofu apply: execute changes
|
|
- tofu destroy: remove all resources
|
|
- tofu state list/show/mv/rm: state management
|
|
- tofu import: bring existing resource under management
|
|
|
|
## Best Practices
|
|
- Always use required_providers with version constraints
|
|
- Use variables for environment-specific values
|
|
- State encryption for sensitive data (OpenTofu feature)
|
|
- Modules for reusable infrastructure patterns
|
|
- Remote state backend for team collaboration
|
|
- Plan file for CI/CD: tofu plan -out=plan.bin && tofu apply plan.bin
|