terraform에서 state 명령어는 Terraform의 상태를 관리하거나 세부내용을 확인할 수 있습니다.
이 글에서는 각 서브 커맨드에 대한 주요 특징과 사용 방법을 설명합니다.
tf state command
tf state
Usage: terraform [global options] state <subcommand> [options] [args]
This command has subcommands for advanced state management.
These subcommands can be used to slice and dice the Terraform state.
This is sometimes necessary in advanced cases. For your safety, all
state management commands that modify the state create a timestamped
backup of the state prior to making modifications.
The structure and output of the commands is specifically tailored to work
well with the common Unix utilities such as grep, awk, etc. We recommend
using those tools to perform more advanced state tasks.
Subcommands:
list List resources in the state
mv Move an item in the state
pull Pull current state and output to stdout
push Update remote state from a local state file
replace-provider Replace provider in the state
rm Remove instances from the state
show Show a resource in the state
자주 사용되는 명령어: list, mv, rm
replace-provider: 프로바이더의 변경사항이 생기는 경우 사용
terraform state list
현재 워크스페이스에서 관리중인 리소스의 상태를 확인할 수 있다.
tf state list
>>>
aws_iam_group.developer
aws_iam_group.employee
aws_iam_user.for_user["jeff"]
aws_iam_user.for_user["jmhan"]
aws_iam_user.for_user["lucia"]
aws_iam_user.for_user["rachel"]
aws_iam_user_group_membership.iam_membership["jeff"]
aws_iam_user_group_membership.iam_membership["jmhan"]
aws_iam_user_group_membership.iam_membership["lucia"]
aws_iam_user_group_membership.iam_membership["rachel"]
aws_iam_user_policy_attachment.developer["jeff"]
aws_iam_user_policy_attachment.developer["lucia"]
terraform state show [resource in the state]
terraform state list에서 확인한 리소스 상세 정보를 출력합니다.
tf state show aws_iam_group.developer
>>>
# aws_iam_group.developer:
resource "aws_iam_group" "developer" {
arn = "arn:aws:iam::6713:group/developer"
id = "developer"
name = "developer"
path = "/"
unique_id = "AGPAZYURONAVZ62QSCCEX"
}
terraform mv
상태 파일 내에서 리소스를 이동하거나, 다른 상태 파일로 리소스를 이동합니다. 테라폼 코드를 리펙토링하는 과정에서 사용됩니다.
아래 코드를 하나로 합쳐본다.
[AS-IS]
# group 만들기
resource "aws_iam_group" "developer" {
name = "developer"
}
resource "aws_iam_group" "employee" {
name = "employee"
}
output "groups" {
value = [
aws_iam_group.developer,
aws_iam_group.employee
]
}
## 조건문으로 is_developer을 체크하여 group의 이름을 return한다.
resource "aws_iam_user_group_membership" "iam_membership" {
for_each = {
for user in var.users :
user.name => user
}
user = each.key
groups = each.value.is_developer ? [aws_iam_group.developer.name, aws_iam_group.employee.name] : [aws_iam_group.employee.name]
}
[TO-BE]
# group 만들기
resource "aws_iam_group" "this" {
for_each = toset(["developer", "employee"])
name = each.key
}
output "groups" {
value = [
aws_iam_group.this
# aws_iam_group.developer,
# aws_iam_group.employee
]
}
## 조건문으로 is_developer을 체크하여 group의 이름을 return한다.
resource "aws_iam_user_group_membership" "iam_membership" {
for_each = {
for user in var.users :
user.name => user
}
user = each.key
groups = each.value.is_developer ? [aws_iam_group.this["developer"].name, aws_iam_group.this["employee"].name] : [aws_iam_group.employee.name]
}
결과 1, terraform mv 사용하지 않음, tf apply
동일한 AWS 리소스를 생성하는 코드이지만 Terraform에서는 리소스명 자체가 변경됐기 때문에 AWS 리소스는 삭제하고 재생성하게 됩니다.
# 중략
# aws_iam_group.developer will be destroyed
# (because aws_iam_group.developer is not in configuration)
- resource "aws_iam_group" "developer" {
- arn = "arn:aws:iam::6713:group/developer" -> null
- id = "developer" -> null
- name = "developer" -> null
- path = "/" -> null
- unique_id = "AGPAZYURONAVZ62QSCCEX" -> null
}
# aws_iam_group.employee will be destroyed
# (because aws_iam_group.employee is not in configuration)
- resource "aws_iam_group" "employee" {
- arn = "arn:aws:iam::6713:group/employee" -> null
- id = "employee" -> null
- name = "employee" -> null
- path = "/" -> null
- unique_id = "AGPAZYURONAV5D3OTAZGG" -> null
}
# aws_iam_group.this["developer"] will be created
+ resource "aws_iam_group" "this" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "developer"
+ path = "/"
+ unique_id = (known after apply)
}
# aws_iam_group.this["employee"] will be created
+ resource "aws_iam_group" "this" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "employee"
+ path = "/"
+ unique_id = (known after apply)
}
terraform state mv를 이용하여 수정
tf state list
tf state list
aws_iam_group.developer
aws_iam_group.employee
aws_iam_user.for_user["jeff"]
aws_iam_user.for_user["jmhan"]
aws_iam_user.for_user["lucia"]
aws_iam_user.for_user["rachel"]
aws_iam_user_group_membership.iam_membership["jeff"]
aws_iam_user_group_membership.iam_membership["jmhan"]
aws_iam_user_group_membership.iam_membership["lucia"]
aws_iam_user_group_membership.iam_membership["rachel"]
aws_iam_user_policy_attachment.developer["jeff"]
aws_iam_user_policy_attachment.developer["lucia"]
terraform state mv [AS-IS] [TO-BE]
terraform state mv 'aws_iam_group.developer' 'aws_iam_group.this["developer"]'
>>>
Move "aws_iam_group.developer" to "aws_iam_group.this[\\"developer\\"]"
Successfully moved 1 object(s).
terraform state mv 'aws_iam_group.employee' 'aws_iam_group.this["employee"]'
Move "aws_iam_group.employee" to "aws_iam_group.this[\\"employee\\"]"
Successfully moved 1 object(s).
이미 테라폼 상태 저장소에 해당 변경사항이 저장되어 있기때문에 리소스에대한 변경사항은 없고 output에 대한 변경사항만 표현됩니다.
결과 2, terraform mv 사용, tf apply
# 중략
apply
aws_iam_group.this["developer"]: Refreshing state... [id=developer]
aws_iam_group.this["employee"]: Refreshing state... [id=employee]
aws_iam_user.for_user["jmhan"]: Refreshing state... [id=jmhan]
aws_iam_user.for_user["rachel"]: Refreshing state... [id=rachel]
aws_iam_user.for_user["jeff"]: Refreshing state... [id=jeff]
aws_iam_user.for_user["lucia"]: Refreshing state... [id=lucia]
aws_iam_user_policy_attachment.developer["jeff"]: Refreshing state... [id=jeff-20230123080541651500000004]
aws_iam_user_policy_attachment.developer["lucia"]: Refreshing state... [id=lucia-20230123080541645600000002]
aws_iam_user_group_membership.iam_membership["jmhan"]: Refreshing state... [id=terraform-20230123080541608900000001]
aws_iam_user_group_membership.iam_membership["jeff"]: Refreshing state... [id=terraform-20230123080541866700000005]
aws_iam_user_group_membership.iam_membership["rachel"]: Refreshing state... [id=terraform-20230123080541647100000003]
aws_iam_user_group_membership.iam_membership["lucia"]: Refreshing state... [id=terraform-20230123080541870000000006]
Changes to Outputs:
~ groups = [
~ {
- arn = "arn:aws:iam::6713:group/developer" -> null
+ developer = {
+ arn = "arn:aws:iam::6713:group/developer"
+ id = "developer"
+ name = "developer"
+ path = "/"
+ unique_id = "AGPAZYURONAVZ62QSCCEX"
}
+ employee = {
+ arn = "arn:aws:iam::6713:group/employee"
+ id = "employee"
+ name = "employee"
+ path = "/"
+ unique_id = "AGPAZYURONAV5D3OTAZGG"
}
- id = "developer" -> null
- name = "developer" -> null
- path = "/" -> null
- unique_id = "AGPAZYURONAVZ62QSCCEX" -> null
},
- {
- arn = "arn:aws:iam::6713:group/employee"
- id = "employee"
- name = "employee"
- path = "/"
- unique_id = "AGPAZYURONAV5D3OTAZGG"
},
]
terraform state rm
상태저장소에서 해당 리소스 상태를 제거합니다. → 더 이상 테라폼으로 관리를 원하지 않는 경우
- e.g. 다른 툴을 사용하여 해당 AWS 리소스 관리를하고 싶을때 이중 관리로 인한 문제를 방지하기 위함
테라폼으로 관리중이던 리소스중에 AWS 리소스는 유지하지만 더 이상 테라폼으로 관리하지 않는 경우 삭제합니다.
결과 1, terraform resource를 지우고 tf apply
# resource "aws_iam_user_policy_attachment" "developer" {
# for_each = {
# for user in local.developers :
# user.name => user
# }
# user = each.key
# policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
# depends_on = [
# aws_iam_user.for_user
# ]
# }
tf apply
>>>
Terraform will perform the following actions:
# aws_iam_user_policy_attachment.developer["jeff"] will be destroyed
# (because aws_iam_user_policy_attachment.developer is not in configuration)
- resource "aws_iam_user_policy_attachment" "developer" {
- id = "jeff-20230123080541651500000004" -> null
- policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" -> null
- user = "jeff" -> null
}
# aws_iam_user_policy_attachment.developer["lucia"] will be destroyed
# (because aws_iam_user_policy_attachment.developer is not in configuration)
- resource "aws_iam_user_policy_attachment" "developer" {
- id = "lucia-20230123080541645600000002" -> null
- policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" -> null
- user = "lucia" -> null
}
지워지면 안되는 aws 리소스가 지워질 수 있기때문에 tf state list 명령어를 이용하여 권한관리와 관련된 리소스를 찾은 뒤 tf state rm 명령어를 이용하여 테라폼에 영향을 받지 않도록 한다.
결과 2, tf state rm 하여 관련된 AWS 리소스가 테라폼에 영향 받지 않도록 한다.
tf state list에서 권한 관련된 리소스 찾기
tf state list
>>>
aws_iam_user_policy_attachment.developer["jeff"]
aws_iam_user_policy_attachment.developer["lucia"]
tf state rm
tf state rm 'aws_iam_user_policy_attachment.developer["jeff"]' 'aws_iam_user_policy_attachment.developer["lucia"]'
>>>
Removed aws_iam_user_policy_attachment.developer["jeff"]
Removed aws_iam_user_policy_attachment.developer["lucia"]
Successfully removed 2 resource instance(s).
terraform에서 권한 관련 코드를 삭제했지만 상태저장소에서도 해당 코드를 지웠기때문에 변경사항이 없음을 확인할 수 있다.
terraform state pull, push
- git pull, push과 동일한 concept
- local에서 remote로 다운/업로드 기능
tf state pull > ./tmp.tfstate
tf state push ./tmp.tfstate
'IaC > Terraform' 카테고리의 다른 글
| [Terraform]다른 워크스페이스의 정보 가져오기 - terraform_remote_state 사용법 (0) | 2023.09.03 |
|---|---|
| [Terraform]리소스 강제 교체하기: taint와 untaint 사용법 (0) | 2023.09.01 |
| [Terraform]상태 저장소 설정하는 방법(Backend) (0) | 2023.08.27 |
| [Terraform]반복문(For)을 사용하여 resource 작성하는 방법 (0) | 2023.08.20 |
| [Terraform]조건문(Conditional)을 사용하여 resource 작성하는 방법 (0) | 2023.08.20 |
