I use Terraform to manage infrastructure resources, such as VM sizes, regions, and domain bindings. Whereas I prefer to use CI/CD (in my case CircleCI) to manage deployment of application code, including bumping Docker image tags and setting app-specific environment variables. I do not believe Terraform is the best tool to manage app configuration.
However certain cloud resource definitions seem to have those application deployment things baked in:
azurerm_linux_web_app
:app_settings
is all the environment variable for the app. This is where you’d put secrets: I admit a couple of these feel a bit more “Terraform-y” such as the hostname of your database that’s also managed by Terraform (but probably not the username and password unless you’re connecting as admin!); but also (mostly) 3rd-party API keys, Flask SESSION_SECRET, and other really-biz-logic-specific configuration. Terraform has no need to deal with these.azurerm_container_app
:template.container.image
is the Docker image tag of my current application version.
I am stuck. On one hand if I include an empty app_settings
in my Terraform module, any subsequent time I terraform apply
it would clear my app’s environment variables (which I would like to have been set some other way, e.g. CI/CD tool). On the other hand if I populate app_settings
or template.container.image
inside my Terraform module, then I need to terraform apply
every time I want do something as simple as bump my application version. And that’s true even if I were to use Terraform variables to avoid hard-coding the secrets.
The latter is worse, in my opinion, but the first is still problematic. How to manage the separation of concerns? Or is my original premise wrong that Terraform isn’t the one best tool to solve everything?