Friday, April 29, 2022

Hashicorp Terraform Associate certification takeaways


The thing we usually forget when completing a certification is to save a mental image of the topics that were exciting to learn or the concepts that we had no clue about right before starting the preparation. This is what practitioners should focus on after every major Cloud cert exam, as it provides an accurate snapshot of your feeling about the certification material. Therefore, when I was asked about my impressions on the Terraform Associate Certification exam, I decided to share my thoughts in my blog around the prep, and my feedback on the course I followed.

After timidly starting my "terraform for dummies" blog series, one cloud at a time (OCI, AWS, GCP, Azure) and even On-Prem, It didn't make sense not to take this exam and I am glad It finally happened.
Hashicorp is an exciting company & their disruptive vision is a game changer in a world where automation is King.


The exam summary 

Table of contents

All you need to know about the exam can be found in the official Page. But bellow is what to expect in a nutshell:

Length: 1 hours.

Questions:  57

Exam format: Multiple choice and multiple select

Recommended experience:  Hands-on experience on deployments on any major Cloud platform.

Pass/actual Score: 70%.

Score per topic: Available and broke down into 9 content area.

Terraform version: 0.12 and higher.

Exam center:  PSI Online (requires GitHub account)

Retake Policy: 7 days between exam failed attempts. Max 4 exam attempts in total in a one year period.

Pass confirmation: Results and badge in less than 1 hour.

Preparation time: Few weekends if you have already deployed with terraform (videos+ labs + practice exams) .


It may feel intimidating at first for a tech that’s still young but just getting familiar with the syntax and trying few deployment samples in AWS can help getting into it. Now of course, I didn’t really start from scratch considering all my deployments shenanigans in 4 major cloud providers, but I was still far from having what it takes to pass. Above all, what really surprised me when starting my prep journey is how little I knew about the extent of their services and features available in the OSS version of terraform. Those were exciting bits that I can’t wait to use, like remote backends, Terraform Cloud along with modules that I hate less now :). More about it in the Last tip section.

By the way, If you’re too broke for ACloudGuru, jump right to 100% FREE section 

Exam guide | Official material

Again the content is available in the official hashcorp certification page including the study guide and exam review. It is broken down into 9 areas. I have put Hashicorp Doc/tutorial link for each sub section respectively.

    What I liked about it

    Believe it or not, I completely missed that Hashicorp had lab tutorials for each topic in their study guide. That’s so cool because you get to practice in a timed sandbox just by following their instructions and all for free. It’s too late for me, but I wanted to emphasize on Hashicorp’s efforts here, as labs are very important to prepare for this exam. 

    I know these are a lot of things to cover, but just keep in mind that at the end of the day the key workflow is:
    Write –> terraform Plan –> terraform Apply> Terraform Destroy

    Courses I followed

    As usual first thing people do is shop online for the best training material and possibly free. But in my case I took advantage of already available course in my CloudGuru Subscription.  

    I. A Cloud Guru:
    HashiCorp Certified Terraform Associate

    This required paying a yearly subscription for which I thank my Company for sponsoring this learning path.This image has an empty alt attribute; its file name is image-11.png

    • Pros
      • This is by far the best learning platform I ever tried, not just for preparing certs but also to follow tailored paths where you can learn by practicing through 100s of labs available
      • Moosa Khalid was very effective making the course interesting & easy to follow without unnecessary frills 
      • The themed labs in this course are available at the end of each section
      • It also has an exam practice which can be very handy
      • Modules , variable types (Collections,complex types), and concepts like vault were very well covered 
    • Cons
      • Although most topics, labs did the job, I found that some points still lacked detailed/necessary coverage 
      • Missing examples on attributes for init subcommand  like –backend or out
      • Missing different Ways to configure a remote Backend depending on the chosen source
      • Missing different ways to call modules
    • Pro Tip : skip the second half of the labs and do them all together when finishing with the theory(videos)     

    100% Free resources  

    I. Youtube

    1. HashiCorp Terraform Associate Certification Course - Pass the Exam! By @AndrewBrown

    It’s 12 hours long and was dropped few months ago but still valid. Andrew is very popular in the Cloud community as he has a lot of free courses in YouTube beside his learning platform in examPro . I didn’t follow this one but he never ceases to deliver , as I followed a couple of his free courses in the past.

    1. Learn Terraform by Building a Dev Environment – Full Course for Beginners By @Derek Morgan


      This will not meant to answer all the exam questions but will rather help you get the necessary skills to get familiar with terraform deployments in AWS. That is why it is only 1 hour and half long. I didn’t need it but it’s a good start before diving into the exam theory concepts.

      II. Exam practice/ Articles 

       There are many but the only one that stood out for my is the following medium blog post by Bhargav Bachina 

      III. My notes and labs

      This is basically a mix of  Bhargav’s Sample questions with tips I gathered during my learning from ACG/other . This was more than enough to confidently pass teh exam. I still use it today to refresh my memory on terraform options and tricky commands. 

      Link: BrokeDBA Bundles Notes on Hashicorp terraform associate exam

      Another way to learn about terraform in any cloud platform is to read my Terraform for dummies Blog Series.

      Last tip (goodies)

      The online courses won’t help clear all the exam questions, so you better train a bit more. The last contribution I wanted to share is few tricks/notes on things I learned that I had no clue about before preparing the exam

      • Terraform init options
        $ terraform init -backend=false     -- skip backend
        $ terraform init -get=false         -- skip modules
        $ terraform init -get-plugins=false -- skip plugins
      • Module location: terraform/modules/
      • Syntax for referencing a registry module: <NAMESPACE>/<NAME>/<PROVIDER>
        module "consul" {
           source = "hashicorp/consul/aws"
           version = "0.1.0"
      • Syntax for referencing a private registry module : <HOSTNAME>/<Org-NAME>/<NAME>/<PROVIDER>
        module "vpc" {
           source = "" –> 
           version = "0.9.3"
      • Preview the behavior of the command terraform destroy
        $ terraform plan –destroy
      • Save the execution plan
        $ terraform plan -out=filename
      • Manually source module into your working directory
        $ terraform init -from-module=MODULE-SOURCE
      • target only specific resources when you run a terraform plan/destroy
      •  Update the state prior to checking differences when you run a terraform plan
        $ terraform plan -refresh=true
      • Provide remaining arguments when using partial configuration
        - Interactively:
        - File: terraform init -backend-config=PATH
        - Command-line key/pair: terraform -backend-config="KEY=VALUE"


      As I said It was long overdue but I am very glad I finally passed terraform associate exam. It is a very exciting realm and I can’t wait learn even more each day. I hope this blog post will help those who are interested in taking a step forward to start their preparation journey as I did few months ago. Best of luck !! 

      Automation is here today I tell ya :).

      Thank you for reading

      Saturday, April 16, 2022

      Terraform for dummies part 6: Deploy Oracle DB System 21c using terraform


      What’s the point of moving a database to the Cloud if we can’t automatically deploy it. After blogging about web compute provisioning on AWS,OCI, Azure, & GCP using terraform. The least I could do as a (future-ex) DBA is to terraform database provisioning in Oracle Cloud. On top of that, I also wanted to include a bastion service session to connect to the DBCS instance in the private subnet .

      This image has an empty alt attribute; its file name is image-7.png

      Here’s a link to my GitHub repo linked to this lab: brokedba/terraform-provider-oci/database-system

      Where do I find a good OCI Database deployment sample?
      I explored the official Oracle Cloud GitHub repository, but I couldn’t find a simple stack with no frills. I mean, when you want to deploy a database for the first time, you don’t want to spin 10 other app components that have nothing to do with your DB. I then decided to gather the bare minimum using a function called terraform import that will retro-engineer the code from an existing database and carried on from there.  

      Overview & topology

      The above illustration shows the different components involved in this OCI Terraform Database stack.

      • VCN 

      • Database Cloud system 21c with 1 PDB

      • Bastion service + Bastion session using port forwarding SSH  targeting the DB instance

      • 2x Subnets

        • DB Subnet: private / linked to default route table

        • App Subnet: public / linked to app route table

      • 2x route tables

        • Default route table >  routes to NAT Gateway &Service gateway

        • App route table      >  routes to internet gateway

      • 2x security lists

        • db sec list   ports : ingress 22/1521  from app subnet

        • App sec list ports ": ingress 22/80/443 , egress 1521

      I.Terraform setup

      II. Clone the repository

      • Run terraform init that will install OCI provider plugin automatically

        $ terraform init
        $ terraform -v | grep provider  
          + provider v3.83.1   

          III. terraform config content

          • Let's see what's in the database-system directory. Here, only *.tf files matter along with tfvars

            $ tree
            ├── ---> OCI Bastion terraform declaration code
            ├── ---> OCI DBCS terraform declaration code
            ├── ---> data source declaration code (i.e to fetch shape ocids)
            ├── terraform.tfvars ---> TF_environment_variables needed to authenticate to OCI
            ├── ---> displays the DBCS/Bastion resources detail after the deploy
            ├── ---> Resource variables needed for the deploy
            └── ---> Our Networking terraform declaration code

          • Adjust the required authentication parameters in terraform.tfvars according to your tenancy and DB info 

          • # Adapt the below variables to your own tenancy authentication configuration
            $ vi terraform.tfvars
            export TF_VAR_tenancy_ocid="ocid1.tenancy.oc1..aaaaaaaa" # change me
            export TF_VAR_user_ocid="ocid1.user.oc1..aaaaaaaa" # change me export TF_VAR_compartment_ocid="ocid1.tenancy.oc1..aaaaaaaa" # change me
            export TF_VAR_fingerprint=$(cat PATH_To_Fing/oci_api_key_fingerprint)# change me export TF_VAR_private_key_path=PATH_To_APIKEY/oci_api_key.pem # change me export TF_VAR_ssh_public_key=$(cat PATH_To_PublicSSH/ # change me export TF_VAR_region="ca-toronto-1" # change me export TF_VAR_db_admin_password="DBwelcome2022##" $ . terraform.tfvars

          Terraform files OVERVIEW:

          I will only show excerpts from / to have an idea but all *.tf files are accessible on my Repo.

          • As shown in the below declaration, highlighted in green are variables and the grey ones are data source based

            resource "oci_database_db_system" "MYDBSYS" {
            availability_domain = data.oci_identity_availability_domains.ad1.availability_domains[0].name
              compartment_id      = var.compartment_ocid
              database_edition = var.db_edition
              db_home {
                database {
                  admin_password = var.db_admin_password
                  db_name        = var.db_name
                  pdb_name       = var.pdb_name
                  character_set  = var.character_set
                  ncharacter_set = var.n_character_set
                  db_workload    = var.db_workload
                  db_backup_config {
                    auto_backup_enabled     = var.db_auto_backup_enabled
                    auto_backup_window      = var.db_auto_backup_window
                    recovery_window_in_days = var.db_recovery_window_in_days
                db_version = var.db_version
              shape                   = var.db_system_shape
              license_model           = var.license_model
              subnet_id               =
              private_ip              = var.db_system_private_ip
              ssh_public_keys         = ["${var.ssh_public_key}"]
              hostname                = var.hostname
              data_storage_size_in_gb = var.data_storage_size_in_gb
              node_count              = data.oci_database_db_system_shapes.db_system_shapes.db_system_shapes[0]["minimum_node_count"]
              display_name = var.db_system_display_name

            All variables can of course be changed to your liking in the


            • Here we just grab any relevant information related to the DBCS and the Bastion service like the ssh command

              ##  DBCS INSTANCE OUTPUT

              output "hostname" {
              description = " id of created instances."
              value       = oci_database_db_system.MYDBSYS.hostname

              output "private_ip" {
              description = "Private IPs of created instances."
              value       = oci_database_db_system.MYDBSYS.private_ip
              } output "DB_STATE" {
                value = oci_database_db_system.MYDBSYS.state
              output "DB_Version" {   value = oci_database_db_system.MYDBSYS.version
              output "db_system_options" {
                value = oci_database_db_system.MYDBSYS.db_system_options

              # BASTION
              output "bastion_name" {
              value = oci_bastion_session.mybastion_session.bastion_name

              output "bastion_session_name" {
                value = oci_bastion_session.mybastion_session.display_name

              output "bastion_session_state" {
                value = oci_bastion_session.mybastion_session.state

              output "bastion_session_target_resource_details" {
                value = oci_bastion_session.mybastion_session.target_resource_details

              output "bastion_session_ssh_connection" {
                value = oci_bastion_session.mybastion_session.ssh_metadata.command

            IV. DBCS Stack deployment

              Make sure you copied the adjusted terraform-tfvars file and sourced it. You can then run the plan command (output is truncated for more readability) 

              $ terraform plan
                 Terraform will perform the following actions:
                ... # VCN declaration 
              # oci_bastion_bastion.mybastion will be created
              + resource "oci_bastion_bastion" "mybastion" { ...
              # oci_bastion_session.mybastion_session will be created
              + resource "oci_bastion_session" "mybastion_session" {
              + target_resource_details {
                     + session_type                               = "PORT_FORWARDING"
                     + target_resource_display_name               = (known after apply)
                     + target_resource_operating_system_user_name = (known after apply)
                     + target_resource_port                       = 22
                     + target_resource_private_ip_address         = ""
              # oci_core_subnet.terraApp will be created
              + resource "oci_core_subnet" "terraApp" { ...
              # oci_core_subnet.terraDB will be created
              + resource "oci_core_subnet" "terraDB" {
              + availability_domain        = "gwmA:CA-TORONTO-1-AD-1"
                  + cidr_block                 = ""
              # oci_core_virtual_network.vcnterra will be created
              + resource "oci_core_virtual_network" "vcnterra" {
              + cidr_block               = ""
              + display_name             = "db-vcn"
                  + dns_label                = "terravcn"
              # oci_database_db_system.MYDBSYS will be created
              + resource "oci_database_db_system" "MYDBSYS" {
              + availability_domain                     = "gwmA:CA-TORONTO-1-AD-1"
              + database_edition                        = "STANDARD_EDITION"
              + data_storage_size_in_gb                 = 256
              + display_name                            = "DBCSDEMO"
              + hostname                                = "hopsdb-oci"
              + license_model                           = "LICENSE_INCLUDED"
              + private_ip                              = ""
              + shape                                   = "VM.Standard2.4"
              + ssh_public_keys =[...
              + db_home {
              + db_version                   = ""
              + database {
              + db_workload                    = "OLTP"
              + db_name                        = "MYCDB"
              + pdb_name                       = "PDB1"
              + db_backup_config { …
              + backup_destination_details {
              + db_system_options {
                   + storage_management = (known after apply) }

              Plan: 15 to add, 0 to change, 0 to destroy.
              Changes to Outputs:
                + DB_STATE                                = (known after apply)
                + DB_Version                              = (known after apply)
                + Subnet_CIDR_DB                          = ""
                + Subnet_Name_DB                          = "db-sub"
                + bastion_name                            = (known after apply)
                + bastion_session_name                    = "Session-Mybastion"
                + bastion_session_ssh_connection          = (known after apply)
                + bastion_session_state                   = (known after apply)
                + bastion_session_target_resource_details = [
              + db_system_options                       = (known after apply)
                + hostname                                = "hopsdb-oci"
                + private_ip                              = ""
                + vcn_id                                  = (known after apply)
                + vcn_name                                = "db-vcn"

              Now let’s provision our DBCS instance (output has been truncated for more visibility)

              $ terraform apply -auto-approve
              oci_core_virtual_network.vcnterra: Creation complete after 1s

              oci_core_security_list.terraApp_sl: Creation complete after 1s

              oci_core_internet_gateway.igtw: Creation complete after 1s
              oci_core_security_list.terra_sl: Creation complete after 1s
              oci_core_route_table.apprt: Creation complete after 1s
              oci_core_service_gateway.obj-svcgw: Creation complete oci_core_nat_gateway.natgw: Creation complete after 3s

              oci_core_default_route_table.rt: Creation complete after 0s
              oci_core_subnet.terraApp: Creation complete after 5s
              oci_core_subnet.terraDB: Creation complete after 5s
              oci_database_db_system.MYDBSYS: Creating...
              oci_core_drg.drgw: Creation complete after 9s
              oci_core_drg_attachment.drgw_attachment: Creation complete after 15s
              oci_database_db_system.MYDBSYS: Creation complete after 50m58s
              Apply complete! Resources: 15 added, 0 changed, 0 destroyed


              As mentioned earlier I included  a bastion service session to remote log into the target database instance in the private subnet from my workstation through port forwarding tunnel. You want to know the full ssh command ?? look no further! it is already displayed in my terraform output after the apply >> bastion_session_ssh_connection

              This image has an empty alt attribute; its file name is image-8.png

              SSH connection Usage

              • Final ssh command will  looks like this, notice I added & to run it in the background, so I won’t have to open another session to login to the private DB instance. 

              # ssh -i ~/.ssh/id_rsa_oci -N -L 22: -p 22** &
              • Run the final ssh command to access the target resource using a sort of loopback where localhost is forwarded into the target instance IP through the opened proxy tunnel. 

              # ssh -i  ~/.ssh/id_rsa_dbcs opc@localhost
              [opc@hopsdb-oci ~]$  sudo dbcli describe-component --- target instance
              System Version
              Component                                Installed Version    Available Version
              ---------------------------------------- -------------------- --------------------

              [opc@hopsdb-oci]$ sudo dbcli list-databases ID DB Name DB Type DB Version CDB Class Storage Status DbHomeID ------- ---------- -------- ----------- ----- ----- -------- ---------- ----------- a3** MYCDB Si true Oltp ASM Configured 9a841-****

              What you should know

              Terraform registry Doc for oci provider is not up to date i.e node_count in db_system resource is really required


              The list of valid releases will change and can break your deployment. (i.e was recently dropped from the list) you may want to use base release first.


              • We have demonstrated in this tutorial how to quickly deploy a Database instance using terraform in OCI and leverage along with all necessary network resources

              • Remember that all used attributes in this exercise can be modified in the file.

              • Adding a bastion service on top of the stack including the required ssh command to access the dbcs instance is a great value (port 1512 can also be forwarded to connect from sqldevelopper)

              • From this stack you can safely add new components via sub-modules or new resources in the .tf files

              • With this simple example you have no excuse not to try a terraform deployment for your databases in OCI

              • You can also import the stack into your resource manager service or even pipeline them in Gitlab/GitHub or OCI Devops