Hashicorp Terraform Associate certification takeaways

Intro

The thing we usually forget when completing a certification is to save a mental image of the topics that were exciting to learn or the concepts that we had no clue about right before starting the preparation. This is what practitioners should focus on after every major Cloud cert exam, as it provides an accurate snapshot of your feeling about the certification material. Therefore, when I was asked about my impressions on the Terraform Associate Certification exam, I decided to share my thoughts in my blog around the prep, and my feedback on the course I followed.

After timidly starting my "terraform for dummies" blog series, one cloud at a time (OCI, AWS, GCP, Azure) and even On-Prem, It didn't make sense not to take this exam and I am glad It finally happened.
Hashicorp is an exciting company & their disruptive vision is a game changer in a world where automation is King.

 

The exam summary 

Table of contents

• Exam guide

• Course I followed

• Free resources

• Last tip

• Conclusion
  
  

All you need to know about the exam can be found in the official Page. But bellow is what to expect in a nutshell:

Length: 1 hours.

Questions:  57

Exam format: Multiple choice and multiple select

Recommended experience:  Hands-on experience on deployments on any major Cloud platform.

Pass/actual Score: 70%.

Score per topic: Available and broke down into 9 content area.

Terraform version: 0.12 and higher.

Exam center:  PSI Online (requires GitHub account)

Retake Policy: 7 days between exam failed attempts. Max 4 exam attempts in total in a one year period.

Pass confirmation: Results and badge in less than 1 hour.

Preparation time: Few weekends if you have already deployed with terraform (videos+ labs + practice exams) .

Impressions 

It may feel intimidating at first for a tech that’s still young but just getting familiar with the syntax and trying few deployment samples in AWS can help getting into it. Now of course, I didn’t really start from scratch considering all my deployments shenanigans in 4 major cloud providers, but I was still far from having what it takes to pass. Above all, what really surprised me when starting my prep journey is how little I knew about the extent of their services and features available in the OSS version of terraform. Those were exciting bits that I can’t wait to use, like remote backends, Terraform Cloud along with modules that I hate less now :). More about it in the Last tip section.

By the way, If you’re too broke for ACloudGuru, jump right to 100% FREE section 

Exam guide | Official material

Again the content is available in the official hashcorp certification page including the study guide and exam review. It is broken down into 9 areas. I have put Hashicorp Doc/tutorial link for each sub section respectively.

• 1. Understand infrastructure as code (IaC) concepts
• Explain what IaC is
• Describe advantages of IaC patterns
• Installing and configuring the CLI (Cloud SDK)
• 2. Understand Terraform's purpose (vs other IaC)
• Explain multi-cloud and provider-agnostic benefits
• Explain the benefits of state
• 3. Understand Terraform basics
• Handle Terraform and provider installation and versioning
• Describe plugin based architecture
• Demonstrate using multiple providers
• Describe how Terraform finds and fetches providers
• Explain when to use and not use provisioners and when to use local-exec or remote-exec
• 4. Use the Terraform CLI (outside of core workflow)
• Given a scenario: choose when to use terraform fmt to format code
• Given a scenario: choose when to use terraform taint to taint Terraform resources
• Given a scenario: choose when to use terraform import to import existing infrastructure into your Terraform state
• Given a scenario: choose when to use terraform workspace to create workspaces
• Given a scenario: choose when to use terraform state to view Terraform state
• Given a scenario: choose when to enable verbose logging and what the outcome/value is
• 5. Interact with Terraform modules
• Contrast module source options
• Interact with module inputs and outputs.
• Describe variable scope within modules/child modules
• Discover modules from the public Terraform Module Registry
• Defining module version
• 6. Navigate Terraform workflow
• Describe Terraform workflow ( Write -> Plan –> Create )
• Initialize a Terraform working directory (terraform init)
• Validate a Terraform configuration (terraform validate)
• Generate and review an execution plan for Terraform (terraform plan)
• Execute changes to infrastructure with Terraform (terraform apply)
•  Destroy Terraform managed infrastructure (terraform destroy)

• 7. Implement and maintain state
• Describe default local backend
• Outline state locking
• Handle backend authentication methods
• Describe remote state storage mechanisms and supported standard backends
• Describe effect of Terraform refresh on state
• Describe backend block in configuration and best practices for partial configurations
• Understand secret management in state files

• 8.Read, generate, and modify configuration
• Demonstrate use of variables and outputs
• Describe secure secret injection best practice
• Understand the use of collection and structural types
• Create and differentiate resource and data configuration
• Use resource addressing and resource parameters to connect resources together
• Use Terraform built-in functions to write configuration
• Configure resource using a dynamic block
• Describe built-in dependency management (order of execution based)

• 9. Understand Terraform Cloud and Enterprise capabilities
• Describe the benefits of Sentinel, registry, and workspaces
• Differentiate OSS and TFE workspaces
• Summarize features of Terraform Cloud

What I liked about it

Believe it or not, I completely missed that Hashicorp had lab tutorials for each topic in their study guide. That’s so cool because you get to practice in a timed sandbox just by following their instructions and all for free. It’s too late for me, but I wanted to emphasize on Hashicorp’s efforts here, as labs are very important to prepare for this exam. 

I know these are a lot of things to cover, but just keep in mind that at the end of the day the key workflow is:
✅ Write –> terraform Plan –> terraform Apply –> Terraform Destroy

Courses I followed

As usual first thing people do is shop online for the best training material and possibly free. But in my case I took advantage of already available course in my CloudGuru Subscription.  

I. A Cloud Guru:
HashiCorp Certified Terraform Associate

This required paying a yearly subscription for which I thank my Company for sponsoring this learning path.

• Pros
• This is by far the best learning platform I ever tried, not just for preparing certs but also to follow tailored paths where you can learn by practicing through 100s of labs available
• Moosa Khalid was very effective making the course interesting & easy to follow without unnecessary frills 
• The themed labs in this course are available at the end of each section
• It also has an exam practice which can be very handy
• Modules , variable types (Collections,complex types), and concepts like vault were very well covered 
• Cons
• Although most topics, labs did the job, I found that some points still lacked detailed/necessary coverage 
• Missing examples on attributes for init subcommand  like –backend or out
• Missing different Ways to configure a remote Backend depending on the chosen source
• Missing different ways to call modules
• Pro Tip : skip the second half of the labs and do them all together when finishing with the theory(videos)     
  
  

100% Free resources  

I. Youtube

1. HashiCorp Terraform Associate Certification Course - Pass the Exam! By @AndrewBrown
   
   

Content:
It’s 12 hours long and was dropped few months ago but still valid. Andrew is very popular in the Cloud community as he has a lot of free courses in YouTube beside his learning platform in examPro . I didn’t follow this one but he never ceases to deliver , as I followed a couple of his free courses in the past.

2. Learn Terraform by Building a Dev Environment – Full Course for Beginners By @Derek Morgan
   
   

Content:

This will not meant to answer all the exam questions but will rather help you get the necessary skills to get familiar with terraform deployments in AWS. That is why it is only 1 hour and half long. I didn’t need it but it’s a good start before diving into the exam theory concepts.

II. Exam practice/ Articles 

 There are many but the only one that stood out for my is the following medium blog post by Bhargav Bachina 

• How To Pass HashiCorp Terraform Associate Certification by Bhargav Bachina

• Practice with  250 Practice Questions For Terraform Associate Certification  by Bhargav Bachina 
  
  

III. My notes and labs

This is basically a mix of  Bhargav’s Sample questions with tips I gathered during my learning from ACG/other . This was more than enough to confidently pass teh exam. I still use it today to refresh my memory on terraform options and tricky commands. 

Link: BrokeDBA Bundles Notes on Hashicorp terraform associate exam

Pro-Tip:
Another way to learn about terraform in any cloud platform is to read my Terraform for dummies Blog Series.

Last tip (goodies)

The online courses won’t help clear all the exam questions, so you better train a bit more. The last contribution I wanted to share is few tricks/notes on things I learned that I had no clue about before preparing the exam

• Terraform init options
  $ terraform init -backend=false     -- skip backend
  $ terraform init -get=false         -- skip modules
  $ terraform init -get-plugins=false -- skip plugins
• Module location: terraform/modules/
• Syntax for referencing a registry module: <NAMESPACE>/<NAME>/<PROVIDER>
  module "consul" {
     source = "hashicorp/consul/aws"
     version = "0.1.0"
  }
• Syntax for referencing a private registry module : <HOSTNAME>/<Org-NAME>/<NAME>/<PROVIDER>
  module "vpc" {
     source = "app.terraform.io/My_corp/vpc/aws" –> 
     version = "0.9.3"
  }
• Preview the behavior of the command terraform destroy
  $ terraform plan –destroy
• Save the execution plan
  $ terraform plan -out=filename
• Manually source module into your working directory
  $ terraform init -from-module=MODULE-SOURCE
• target only specific resources when you run a terraform plan/destroy
  -target=resource
•  Update the state prior to checking differences when you run a terraform plan
  $ terraform plan -refresh=true
• Provide remaining arguments when using partial configuration
  - Interactively:
  - File: terraform init -backend-config=PATH
  - Command-line key/pair: terraform -backend-config="KEY=VALUE"
   
  
  

Conclusion

As I said It was long overdue but I am very glad I finally passed terraform associate exam. It is a very exciting realm and I can’t wait learn even more each day. I hope this blog post will help those who are interested in taking a step forward to start their preparation journey as I did few months ago. Best of luck !! 

Automation is here today I tell ya :).

Thank you for reading

Terraform for dummies part 6: Deploy Oracle DB System 21c using terraform

Intro

What’s the point of moving a database to the Cloud if we can’t automatically deploy it. After blogging about web compute provisioning on AWS,OCI, Azure, & GCP using terraform. The least I could do as a (future-ex) DBA is to terraform database provisioning in Oracle Cloud. On top of that, I also wanted to include a bastion service session to connect to the DBCS instance in the private subnet .

Here’s a link to my GitHub repo linked to this lab: brokedba/terraform-provider-oci/database-system

Where do I find a good OCI Database deployment sample?
I explored the official Oracle Cloud GitHub repository, but I couldn’t find a simple stack with no frills. I mean, when you want to deploy a database for the first time, you don’t want to spin 10 other app components that have nothing to do with your DB. I then decided to gather the bare minimum using a function called terraform import that will retro-engineer the code from an existing database and carried on from there.  

Overview & topology

The above illustration shows the different components involved in this OCI Terraform Database stack.

• VCN 

• Database Cloud system 21c with 1 PDB

• Bastion service + Bastion session using port forwarding SSH  targeting the DB instance

• 2x Subnets

• DB Subnet: private / linked to default route table

• App Subnet: public / linked to app route table

• 2x route tables

• Default route table >  routes to NAT Gateway &Service gateway

• App route table      >  routes to internet gateway

• 2x security lists

  • db sec list   ports : ingress 22/1521  from app subnet

  • App sec list ports ": ingress 22/80/443 , egress 1521
    
    

I.Terraform setup

Windows: Download and run the installer from their website (32-bit ,64-bit)

Linux      :  Download, unzip and move the binary to the local bin directory

$ wget https://releases.hashicorp.com/terraform/1.0.3/terraform_1.0.3_linux_amd64.zip
$ unzip terraform_1.0.3_linux_amd64.zip
$ mv terraform /usr/local/bin/
$ terraform --version
  Terraform v1.0.3

II. Clone the repository

• Pick an empty directory on your file system and issue the following command

$ git clone https://github.com/brokedba/terraform-examples.git

• You will find a sub-directory called database-system in the repository where the DBCS stack is located:

• Cd Into  terraform-provider-oci/database-system/ where our configuration resides

  $ cd ~/terraform-examples/terraform-provider-oci/database-system

• Run terraform init that will install OCI provider plugin automatically

  $ terraform init
  $ terraform -v | grep provider  
    + provider registry.terraform.io/hashicorp/oci v3.83.1   

III. terraform config content

• Let's see what's in the database-system directory. Here, only *.tf files matter along with tfvars

  $ tree 
  ├── bastion.tf     ---> OCI Bastion terraform declaration code 
  ├── database.tf    ---> OCI DBCS terraform declaration code 
  ├── datasources.tf ---> data source declaration code (i.e to fetch shape ocids)
  ├── terraform.tfvars  ---> TF_environment_variables needed to authenticate to OCI
  ├── outputs.tf   ---> displays the DBCS/Bastion resources detail after the deploy
  ├── variables.tf ---> Resource variables needed for the deploy 
  └── vcn.tf       ---> Our Networking terraform declaration code 

• Adjust the required authentication parameters in terraform.tfvars according to your tenancy and DB info 

# Adapt the below variables to your own tenancy authentication configuration
$ vi terraform.tfvars  
export TF_VAR_tenancy_ocid="ocid1.tenancy.oc1..aaaaaaaa"        # change me 
export TF_VAR_user_ocid="ocid1.user.oc1..aaaaaaaa"              # change me 
export TF_VAR_compartment_ocid="ocid1.tenancy.oc1..aaaaaaaa"    # change me 
export TF_VAR_fingerprint=$(cat PATH_To_Fing/oci_api_key_fingerprint)# change me 
export TF_VAR_private_key_path=PATH_To_APIKEY/oci_api_key.pem        # change me 
export TF_VAR_ssh_public_key=$(cat PATH_To_PublicSSH/id_rsa.pub)     # change me export TF_VAR_region="ca-toronto-1"                                  # change me 
export TF_VAR_db_admin_password="DBwelcome2022##" 

$ . terraform.tfvars  

Terraform files OVERVIEW:

I will only show excerpts from database.tf /output.tf to have an idea but all *.tf files are accessible on my Repo.

database.tf

• As shown in the below declaration, highlighted in green are variables and the grey ones are data source based

  resource "oci_database_db_system" "MYDBSYS" {
  availability_domain   = data.oci_identity_availability_domains.ad1.availability_domains[0].name
    compartment_id      = var.compartment_ocid
    database_edition    = var.db_edition
    db_home {
      database {
        admin_password = var.db_admin_password
        db_name        = var.db_name
        pdb_name       = var.pdb_name
        character_set  = var.character_set
        ncharacter_set = var.n_character_set
        db_workload    = var.db_workload
        db_backup_config {
          auto_backup_enabled     = var.db_auto_backup_enabled
          auto_backup_window      = var.db_auto_backup_window
          recovery_window_in_days = var.db_recovery_window_in_days
        }
      }
      db_version = var.db_version
    }
    shape                   = var.db_system_shape
    license_model           = var.license_model
    subnet_id               = oci_core_subnet.terraDB.id
    private_ip              = var.db_system_private_ip
    ssh_public_keys         = ["${var.ssh_public_key}"] 
    hostname                = var.hostname
    data_storage_size_in_gb = var.data_storage_size_in_gb
    node_count              = data.oci_database_db_system_shapes.db_system_shapes.db_system_shapes[0]["minimum_node_count"]
    display_name = var.db_system_display_name
  }

All variables can of course be changed to your liking in the variables.tf

output.tf

• Here we just grab any relevant information related to the DBCS and the Bastion service like the ssh command

  #########################
  ##  DBCS INSTANCE OUTPUT
  #########################
  
  output "hostname" {
  description = " id of created instances."
  value       = oci_database_db_system.MYDBSYS.hostname
  }
  
  output "private_ip" {
  description = "Private IPs of created instances."
  value       = oci_database_db_system.MYDBSYS.private_ip
  }
  output "DB_STATE" {
    value = oci_database_db_system.MYDBSYS.state
  }
  output "DB_Version" {   value = oci_database_db_system.MYDBSYS.version
  }
  output "db_system_options" {
    value = oci_database_db_system.MYDBSYS.db_system_options
  }
  
  #########
  # BASTION
  #########
  output "bastion_name" {
  value = oci_bastion_session.mybastion_session.bastion_name
  }
  
  output "bastion_session_name" {
    value = oci_bastion_session.mybastion_session.display_name
  }
  
  output "bastion_session_state" {
    value = oci_bastion_session.mybastion_session.state
  }
  
  output "bastion_session_target_resource_details" {
    value = oci_bastion_session.mybastion_session.target_resource_details
  }
  
  output "bastion_session_ssh_connection" {
    value = oci_bastion_session.mybastion_session.ssh_metadata.command
  }

IV. DBCS Stack deployment

Make sure you copied the adjusted terraform-tfvars file and sourced it. You can then run the plan command (output is truncated for more readability) 

$ terraform plan
  ------------------------------------------------------------------------
   Terraform will perform the following actions:

  ... # VCN declaration 
# oci_bastion_bastion.mybastion will be created
+ resource "oci_bastion_bastion" "mybastion" { ...
# oci_bastion_session.mybastion_session will be created
+ resource "oci_bastion_session" "mybastion_session" {
  ...
     + target_resource_details {
       + session_type                               = "PORT_FORWARDING"
       + target_resource_display_name               = (known after apply)
       + target_resource_operating_system_user_name = (known after apply)
       + target_resource_port                       = 22
       + target_resource_private_ip_address         = "192.168.78.10"
     }
  }
# oci_core_subnet.terraApp will be created
+ resource "oci_core_subnet" "terraApp" { ...
# oci_core_subnet.terraDB will be created
+ resource "oci_core_subnet" "terraDB" {
    + availability_domain        = "gwmA:CA-TORONTO-1-AD-1"
    + cidr_block                 = "192.168.78.0/24"
...
# oci_core_virtual_network.vcnterra will be created
 + resource "oci_core_virtual_network" "vcnterra" {
    + cidr_block               = "192.168.64.0/20"
    + display_name             = "db-vcn"
    + dns_label                = "terravcn"
 ...}
..
# oci_database_db_system.MYDBSYS will be created
+ resource "oci_database_db_system" "MYDBSYS" {
   + availability_domain                     = "gwmA:CA-TORONTO-1-AD-1" 
   + database_edition                        = "STANDARD_EDITION"
   + data_storage_size_in_gb                 = 256
   + display_name                            = "DBCSDEMO"
   + hostname                                = "hopsdb-oci"
   + license_model                           = "LICENSE_INCLUDED"
   + private_ip                              = "192.168.78.10"
   + shape                                   = "VM.Standard2.4"
   + ssh_public_keys                         =[... 
   + db_home { 
       + db_version                   = "21.0.0.0"
       ...
       + database {
            + db_workload                    = "OLTP"
            + db_name                        = "MYCDB"
            + pdb_name                       = "PDB1"
            ...
            + db_backup_config { … 
            + backup_destination_details {
            }
         }
       }
   }  
   + db_system_options {
     + storage_management = (known after apply) }
 
Plan: 15 to add, 0 to change, 0 to destroy.
Changes to Outputs:
  + DB_STATE                                = (known after apply)
  + DB_Version                              = (known after apply)
  + Subnet_CIDR_DB                          = "192.168.78.0/24"
  + Subnet_Name_DB                          = "db-sub"
  + bastion_name                            = (known after apply)
  + bastion_session_name                    = "Session-Mybastion"
  + bastion_session_ssh_connection          = (known after apply)
  + bastion_session_state                   = (known after apply)
  + bastion_session_target_resource_details = [
  + db_system_options                       = (known after apply)
  + hostname                                = "hopsdb-oci"
  + private_ip                              = "192.168.78.10"
  + vcn_id                                  = (known after apply)
  + vcn_name                                = "db-vcn"

Now let’s provision our DBCS instance (output has been truncated for more visibility)

$ terraform apply -auto-approve
...
oci_core_virtual_network.vcnterra: Creation complete after 1s 

oci_core_security_list.terraApp_sl: Creation complete after 1s 

oci_core_internet_gateway.igtw: Creation complete after 1s 

oci_core_security_list.terra_sl: Creation complete after 1s 
oci_core_route_table.apprt: Creation complete after 1s 
oci_core_service_gateway.obj-svcgw: Creation complete 
oci_core_nat_gateway.natgw: Creation complete after 3s 


oci_core_default_route_table.rt: Creation complete after 0s 

oci_core_subnet.terraApp: Creation complete after 5s 

oci_core_subnet.terraDB: Creation complete after 5s 

oci_database_db_system.MYDBSYS: Creating...

oci_core_drg.drgw: Creation complete after 9s 

oci_core_drg_attachment.drgw_attachment: Creation complete after 15s 

oci_database_db_system.MYDBSYS: Creation complete after 50m58s 

Apply complete! Resources: 15 added, 0 changed, 0 destroyed

CONNECTION TO YOUR DBCA INSTANCE 

As mentioned earlier I included  a bastion service session to remote log into the target database instance in the private subnet from my workstation through port forwarding tunnel. You want to know the full ssh command ?? look no further! it is already displayed in my terraform output after the apply >> bastion_session_ssh_connection

SSH connection Usage

• Final ssh command will  looks like this, notice I added & to run it in the background, so I won’t have to open another session to login to the private DB instance. 

# ssh -i ~/.ssh/id_rsa_oci -N -L 22:192.168.78.10:22 -p 22 ocid1.bastionsession.oc1.ca-toronto-1.amaaaaaavr**a@host.bastion.ca-toronto-1.oci.oraclecloud.com &

• Run the final ssh command to access the target resource using a sort of loopback where localhost is forwarded into the target instance IP through the opened proxy tunnel. 

# ssh -i  ~/.ssh/id_rsa_dbcs opc@localhost
[opc@hopsdb-oci ~]$  sudo dbcli describe-component       --- target instance
System Version
---------------
22.1.1.1.0
Component                                Installed Version    Available Version
---------------------------------------- -------------------- --------------------
GI                                        21.1.0.0.0            21.5.0.0
DB                                        21.1.0.0.0            21.5.0.0


[opc@hopsdb-oci]$ sudo dbcli list-databases
ID       DB Name  DB Type   DB Version  CDB   Class  Storage  Status    DbHomeID
------- ---------- -------- ----------- ----- ----- -------- ---------- -----------
a3**     MYCDB      Si       21.1.0.0.0 true  Oltp    ASM    Configured  9a841-****

What you should know

Terraform registry Doc for oci provider is not up to date i.e node_count in db_system resource is really required

The list of valid releases will change and can break your deployment. (i.e 19.11.0.0 was recently dropped from the list) you may want to use base release first.

CONCLUSION

• We have demonstrated in this tutorial how to quickly deploy a Database instance using terraform in OCI and leverage along with all necessary network resources

• Remember that all used attributes in this exercise can be modified in the variables.tf file.

• Adding a bastion service on top of the stack including the required ssh command to access the dbcs instance is a great value (port 1512 can also be forwarded to connect from sqldevelopper)

• From this stack you can safely add new components via sub-modules or new resources in the .tf files

• With this simple example you have no excuse not to try a terraform deployment for your databases in OCI

• You can also import the stack into your resource manager service or even pipeline them in Gitlab/GitHub or OCI Devops