Introduction

Terraform is a tool for building and managing infrastructure in an organized way. You can use it to manage DigitalOcean Droplets, Load Balancers, and even DNS entries, in addition to a large variety of services offered by other providers. Terraform uses a command-line interface and can run from your desktop or a remote server.

Terraform works by reading configuration files that describe the components that make up your application environment or datacenter. Based on the configuration, it generates an execution plan that describes what it will do to reach the desired state. You then use Terraform to execute this plan to build the infrastructure. When changes to the configuration occur, Terraform can generate and execute incremental plans to update the existing infrastructure to the newly described state.

In this tutorial, you’ll install and use Terraform to create an infrastructure on DigitalOcean that consists of two Nginx servers that are load balanced by a DigitalOcean Load Balancer. Then you’ll use Terraform to add a DNS entry on DigitalOcean that points to your load balancer. This will help you get started with using Terraform, and give you an idea of how you can use it to manage and deploy a DigitalOcean-based infrastructure that meets your own needs.

This tutorial uses Terraform 0.13.1.

Prerequisites

To complete this tutorial, you’ll need:

Step 1 — Installing Terraform

Terraform is a command-line tool that you run on your desktop or on a remote server. To install it, you’ll download it and place it on your PATH so you can execute it in any directory you’re working in.

First, download the appropriate package for your OS and architecture from the official Downloads page. For this tutorial, download Terraform to your local machine and save it to the ~/Downloads directory.

If you’re on macOS or Linux, you can download Terraform with curl.

On macOS, use this command to download Terraform and place it in your home directory:

  • curl -o ~/terraform.zip https://releases.hashicorp.com/terraform/0.13.1/terraform_0.13.1_darwin_amd64.zip

On Linux, use this command:

  • curl -o ~/terraform.zip https://releases.hashicorp.com/terraform/0.13.1/terraform_0.13.1_linux_amd64.zip

Then extract Terraform and place it in the ~/opt/terraform directory. First, create the ~/opt/terraform directory:

  • mkdir -p ~/opt/terraform

Then unzip Terraform using the unzip command.

On Ubuntu, install unzip using apt:

  • sudo apt install unzip

Then use unzip to unarchive the terraform.zip package to the ~/opt/terraform/ directory:

  • unzip ~/terraform.zip -d ~/opt/terraform

Finally, add ~/opt/terraform/, to your PATH environment variable so you can execute the terraform command without specifying the full path to the executable.

On Linux, add the path to the file .bashrc:

  • nano ~/.bashrc

Note: On macOS, add the path to the file .bash_profile if using Bash, or to zshrc if using ZSH.

To append Terraform’s path to your PATH, add the following line at the end of the file:

.bashrc
export PATH=$PATH:~/opt/terraform/bin

Save the file and exit the editor.

Now all of your new shell sessions will be able to find the terraform command. To load the new PATH into your current session, type the following command if you’re using Bash on a Linux system:

  • . .bashrc

If you’re using Bash on macOS, execute this command instead:

  • . .bash_profile

If you’re using ZSH, run this command:

  • . .zshrc

To verify that you have installed Terraform correctly, run the terraform command with no arguments:

  • terraform

You will see output that is similar to the following:

Output
Usage: terraform [-version] [-help] <command> [args] The available commands for execution are listed below. The most common, useful commands are shown first, followed by less common or more advanced commands. If you're just getting started with Terraform, stick with the common commands. For the other commands, please read the help and docs before usage. Common commands: apply Builds or changes infrastructure console Interactive console for Terraform interpolations destroy Destroy Terraform-managed infrastructure env Workspace management fmt Rewrites config files to canonical format get Download and install modules for the configuration graph Create a visual graph of Terraform resources import Import existing infrastructure into Terraform init Initialize a Terraform working directory login Obtain and save credentials for a remote host logout Remove locally-stored credentials for a remote host output Read an output from a state file plan Generate and show an execution plan ...

These are the commands that Terraform accepts. The output gives you a brief description, but you will get into how to use them throughout this tutorial.

Now that Terraform is installed, let’s configure it to work with DigitalOcean’s resources.

Step 2 — Configuring Terraform for DigitalOcean

Terraform supports a variety of service providers through providers you can install. Each provider has its own specifications, which generally map to the API of its respective service provider.
The DigitalOcean provider, lets Terraform interact with the DigitalOcean API to build out our infrastructure. This provider supports creating various DigitalOcean resources, including the following:

  • digitalocean_droplet: Droplets (servers)
  • digitalocean_loadbalancer: Load balancer
  • digitalocean_domain: DNS domain entries
  • digitalocean_record: DNS records

Terraform will use your DigitalOcean Personal Access Token to communicate with the DigitalOcean API and manage resources in your account. Don’t share this key with others, and keep it out of scripts and version control. Export your DigitalOcean Personal Access Token to an environment variable called DO_PAT. This will make using it in subsequent commands easier and keep it separate from your code:

  • export DO_PAT="YOUR_PERSONAL_ACCESS_TOKEN"

Note: If you’ll be working with Terraform and DigitalOcean often, add this line to your shell configuration files using the same approach you used to modify your PATH environment variable in the previous step.

The first step to building an infrastructure with Terraform is to define the provider you’re going to use by creating some Terraform configuration files.

Create a directory that will store your configuration files for a given project. The name of the directory does not matter, but we will use “loadbalance” for the example (feel free to change its name):

  • mkdir ~/loadbalance

Terraform configurations are text files that end with the .tf file extension. They are human-readable and they support comments. Terraform also supports JSON-format configuration files, but we won’t cover those here. Terraform will read all of the configuration files in your working directory in a declarative manner, so the order of resource and variable definitions do not matter. Your entire infrastructure can exist in a single configuration file, but we will separate our configuration files by resources in this tutorial.

Change your current directory to the newly created directory:

  • cd ~/loadbalance

From now on, we will assume that your working directory is the one that we just changed to. If you start a new terminal session, be sure to change to the directory that contains your Terraform configuration.

If you happen to get stuck, and Terraform is not working as you expect, you can start over by deleting the terraform.tfstate file, and manually destroying the resources that were created (e.g. through the control panel.

Note: You may also want to enable logging to Standard Output (STDOUT), so you can see what Terraform is trying to do. Do that by running the following command:

  • export TF_LOG=1

To use the DigitalOcean provider with Terraform, you have to tell Terraform about it and configure the plugin with the proper credential variables. Let’s do that now.

Create a file called provider.tf which will store the configuration for the provider:

  • nano provider.tf

Add the following lines into the file to tell Terraform that you want to use the DigitalOcean provider, and instruct Terraform where to find it:

provider.tf
terraform {
  required_providers {
    digitalocean = {
      source = "digitalocean/digitalocean"
      version = "1.22.2"
    }
  }
}

Next, define the following variables in the file so you can reference them in the rest of your configuration files:

  • do_token: your DigitalOcean Personal Access Token.
  • pvt_key: private key location, so Terraform can use it to log in to new Droplets and install Nginx.

You will pass the values of these variables into Terraform when you run it, rather than by hard-coding the values here. This makes the configuration more portable.

Add these lines to the file to define the variables:

provider.tf
variable "do_token" {}
variable "pvt_key" {}

Next, add these lines to configure the DigitalOcean provider and specify the credentials for your DigitalOcean account by assigning “token” to the do_token variable:

provider.tf
provider "digitalocean" {
  token = var.do_token
}

Finally, you’ll want to have Terraform automatically add your SSH key to any new Droplets you create. When you added your SSH key to DigitalOcean, you gave it a name. Terraform can use this name to retrieve the public key. Add these lines, but substitute the terraform key name with the name of the key you provided in your DigitalOcean account:

provider.tf
data "digitalocean_ssh_key" "terraform" {
  name = "terraform"
}

Your completed provider.tf file will look like this:

provider.tf
terraform {
  required_providers {
    digitalocean = {
      source = "digitalocean/digitalocean"
      version = "1.22.2"
    }
  }
}

variable "do_token" {}
variable "pvt_key" {}

provider "digitalocean" {
  token = var.do_token
}

data "digitalocean_ssh_key" "terraform" {
  name = "terraform"
}

Save the file and exit your editor.

Now initialize Terraform for your project. This will read your configuration and install the plugins for your provider:

  • terraform init

You’ll see this output:

Output
Initializing the backend... Initializing provider plugins... - Finding digitalocean/digitalocean versions matching "1.22.2"... - Installing digitalocean/digitalocean v1.22.2... - Installed digitalocean/digitalocean v1.22.2 (signed by a HashiCorp partner, key ID F82037E524B9C0E8) Partner and community providers are signed by their developers. If you'd like to know more about provider signing, you can read about it here: https://www.terraform.io/docs/plugins/signing.html Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.

Terraform is now configured. In the next step you’ll use Terraform to define a Droplet which will run an Nginx server.

Step 3 — Defining the First Nginx Server

You can use Terraform to create a DigitalOcean Droplet and install software on the Droplet once it spins up. In this step you’ll provision a single Ubuntu 18.04 Droplet and install the Nginx web server using Terraform.

Create a new Terraform configuration file called www-1.tf which will hold the configuration for the Droplet:

  • nano www-1.tf

Insert the following lines to define the Droplet resource:

resource "digitalocean_droplet" "www-1" {
    image = "ubuntu-18-04-x64"
    name = "www-1"
    region = "nyc2"
    size = "s-1vcpu-1gb"
    private_networking = true
    ssh_keys = [
      data.digitalocean_ssh_key.terraform.id
    ]

In the preceding configuration, the first line defines a digitalocean_droplet resource named www-1. The rest of the lines specify the droplet’s attributes, including its data center and the slug which identifies the size of the Droplet you want to configure. In this case we’re using s-1vcpu-1gb, which will create a Droplet with one CPU and 1GB of RAM. Visit this size slug chart to see the available slugs you can use.

The ssh_keys section specifies a list of public keys you want to add to the Droplet. In this case you’re specifying the key you defined in provider.tf. Ensure the name here matches the name you specified in provider.tf.

When you run Terraform against the DigitalOcean API, it will collect a variety of information about the Droplet, such as its public and private IP addresses. This information can be used by other resources in your configuration.

If you are wondering which arguments are required or optional for a Droplet resource, please refer to the official Terraform documentation: DigitalOcean Droplet Specification.

Now you’ll set up a connection which Terraform can use to connect to the server via SSH. Insert the following lines at the end of the file:

  connection {
    host = self.ipv4_address
    user = "root"
    type = "ssh"
    private_key = file(var.pvt_key)
    timeout = "2m"
  }

These lines describe how Terraform should connect to the server so Terraform can connect over SSH to install Nginx. Note the use of the private key variable var.pvt_key. You’ll pass this value in when you run Terraform.

Now that you have the connection set up, configure the remote-exec provisioner, which you’ll use to install Nginx. Add the following lines to the configuration to do just that:

  provisioner "remote-exec" {
    inline = [
      "export PATH=$PATH:/usr/bin",
      # install nginx
      "sudo apt-get update",
      "sudo apt-get -y install nginx"
    ]
  }
}

Note that the strings in the inline array are the commands that the root user will run to install Nginx.

The completed file looks like this:

www-1.tf
resource "digitalocean_droplet" "www-1" {
  image = "ubuntu-18-04-x64"
  name = "www-1"
  region = "nyc2"
  size = "s-1vcpu-1gb"
  private_networking = true
  ssh_keys = [
    data.digitalocean_ssh_key.terraform.id
  ]
  connection {
    host = self.ipv4_address
    user = "root"
    type = "ssh"
    private_key = file(var.pvt_key)
    timeout = "2m"
  }
  provisioner "remote-exec" {
    inline = [
      "export PATH=$PATH:/usr/bin",
      # install nginx
      "sudo apt-get update",
      "sudo apt-get -y install nginx"
    ]
  }
}

Save the file and exit the editor. You’ve defined the server. Now it’s time to tell Terraform to build it.

Step 4 — Using Terraform to Create the Nginx Server

Your current Terraform configuration describes a single Nginx server. Let’s use Terraform to connect to DigitalOcean and create that server.

Run the terraform plan command to see the “execution plan”, or what Terraform will attempt to do to build the infrastructure you described. You will have to specify the values for your DigitalOcean Access Token and the path to your private key, as your Terraform configuration files use this information to access the DigitalOcean API and log in to your Droplet to install Nginx. Execute the following command:

  • terraform plan \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

Terraform displays this output:

Output
Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. data.digitalocean_ssh_key.terraform: Refreshing state... ------------------------------------------------------------------------ An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # digitalocean_droplet.www-1 will be created + resource "digitalocean_droplet" "www-1" { + backups = false + created_at = (known after apply) + disk = (known after apply) + id = (known after apply) + image = "ubuntu-18-04-x64" + ipv4_address = (known after apply) + ipv4_address_private = (known after apply) + ipv6 = false + ipv6_address = (known after apply) + ipv6_address_private = (known after apply) + locked = (known after apply) + memory = (known after apply) + monitoring = false + name = "www-1" + price_hourly = (known after apply) + price_monthly = (known after apply) + private_networking = true + region = "nyc2" + resize_disk = true + size = "s-1vcpu-1gb" + ssh_keys = [ + "your_ssh_key_id", ] + status = (known after apply) + urn = (known after apply) + vcpus = (known after apply) + volume_ids = (known after apply) + vpc_uuid = (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. ------------------------------------------------------------------------ Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

The + digitalocean_droplet.www-1 line means that Terraform will create a new droplet resource called www-1, with the details that follow it. That’s exactly what we want, so let’s execute the plan. Run the following terraform apply command to execute the current plan. Again, specify all the values for the variables:

Warning: The terraform plan command supports an -out parameter to save the plan. However, the plan will store API keys, and Terraform does not encrypt this data. If you choose to use this option, you should explore encrypting this file if you plan to send it to others or leave it at rest for an extended period of time.

  • terraform apply \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

You’ll get the same output as before, but this time, Terraform will ask you if you want to proceed:

Output
... Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes

Enter yes and press ENTER. Terraform will provision your Droplet:

Outut
digitalocean_droplet.www-1: Creating...

After a bit of time, you’ll see Terraform installing Nginx with the remote-exec provisioner, and then the process will complete:

Outut
digitalocean_droplet.www-1: Provisioning with 'remote-exec'... .... digitalocean_droplet.www-1: Creation complete after 1m54s [id=your_www-1_droplet_id] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. ...

Terraform has created a new Droplet called www-1 and installed Nginx on it. If you visit the public IP address of your new Droplet, you’ll see the Nginx welcome screen. The public IP was displayed when the Droplet was created, but you can always view it by looking at Terraform’s current state. Terraform updates the state file terraform.tfstate every time it executes a plan or “refreshes” its state.

To view the current state of your environment, use the following command:

  • terraform show terraform.tfstate

This will show you the public IP address of your Droplet.

Output
resource "digitalocean_droplet" "www-1" { backups = false created_at = "2020-08-27T17:22:44Z" disk = 25 id = "your_www-1_droplet_id" image = "ubuntu-18-04-x64" ipv4_address = "your_www-1_server_ip" ipv4_address_private = "10.128.0.2" ...

Navigate to http://your_www-1_server_ip in your browser to verify your Nginx server is running.

Note: If you modify your infrastructure outside of Terraform, your state file will be out of date. If your resources are modified outside of Terraform, you may refresh the state file to bring it up to date. This command will pull the updated resource information from your provider(s):

  • terraform refresh \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

You have one server defined and built. Let’s define another one.

Step 5 — Creating the Second Nginx Server

Now that you have described an Nginx server, you can add a second quickly by copying the existing server’s configuration file and replacing the name and hostname of the Droplet resource.

You can do this manually, but it’s faster to use the sed command to read the www-1.tf file, substitute all instances of www-1 with www-2, and create a new file called www-2.tf. Here is the sed command to do that:

  • sed 's/www-1/www-2/g' www-1.tf > www-2.tf

Learn more about sed in Using sed.

Now run terraform plan again to preview the changes that Terraform will make:

  • terraform plan \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

The output shows that Terraform will create the second server, www-2:

Output
... Terraform will perform the following actions: # digitalocean_droplet.www-2 will be created + resource "digitalocean_droplet" "www-2" { + backups = false + disk = (known after apply) + id = (known after apply) + image = "ubuntu-18-04-x64" + ipv4_address = (known after apply) + ipv4_address_private = (known after apply) + ipv6 = false + ipv6_address = (known after apply) + ipv6_address_private = (known after apply) + locked = (known after apply) + memory = (known after apply) + monitoring = false + name = "www-2" + price_hourly = (known after apply) + price_monthly = (known after apply) + private_networking = true + region = "nyc2" + resize_disk = true + size = "s-1vcpu-1gb" + ssh_keys = [ + "your_ssh_key_id", ] + status = (known after apply) + urn = (known after apply) + vcpus = (known after apply) + volume_ids = (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. ...

Then run terraform apply again to create the second server:

  • terraform apply \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

As before, Terraform will ask you to confirm you wish to proceed. Review the plan again and type yes to continue.

After some time, Terraform will create the new server and display the results:

Output
digitalocean_droplet.www-2: Creation complete after 1m47s [id=your_www-2_droplet_id] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Terraform added the new server and did not alter the existing server. You can repeat the process in this step to add additional Nginx servers.

You have both servers configured. Now let’s configure the load balancer.

Step 6 — Creating the Load Balancer

We’ll use a DigitalOcean Load Balancer to route traffic between our two web servers. The DigitalOcean Terraform provider supports this as well.

Create a new Terraform configuration file called loadbalancer.tf:

  • nano loadbalancer.tf

Insert the following lines to define the load balancer:

loadbalancer.tf
resource "digitalocean_loadbalancer" "www-lb" {
  name = "www-lb"
  region = "nyc2"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"
  }

  healthcheck {
    port = 22
    protocol = "tcp"
  }

  droplet_ids = [digitalocean_droplet.www-1.id, digitalocean_droplet.www-2.id ]
}

The load balancer definition specifies the name of the load balancer, the datacenter, the ports it should listen on to balance traffic, configuration for the health check, and the IDs of the Droplets it should balance, which we fetch using Terraform variables.

Save the file and exit the editor.

Run terraform plan command again to review the new execution plan:

  • terraform plan \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

You’ll see several lines of output, including the following lines:

Output
... digitalocean_droplet.www-1: Refreshing state... [id=your_www-1_droplet_id] digitalocean_droplet.www-2: Refreshing state... [id=your_www-2_droplet_id] ... ------------------------------------------------------------------------ An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # digitalocean_loadbalancer.www-lb will be created + resource "digitalocean_loadbalancer" "www-lb" { + algorithm = "round_robin" + droplet_ids = [ + your_www-1_droplet_id, + your_www-2_droplet_id, ]

This means that the www-1 and www-2 Droplets already exist, and Terraform will create the www-lb Load Balancer.

Run terraform apply to build the load balancer:

  • terraform apply \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa"

Once again, Terraform will ask you to review the plan and then approve the plan by entering yes to continue.

Once you do, you’ll see output that contains the following lines, truncated for brevity:

Output
... digitalocean_loadbalancer.www-lb: Creating... ... digitalocean_loadbalancer.www-lb: Creation complete after 1m18s [id=your_load_balancer_id] ... Apply complete! Resources: 1 added, 0 changed, 0 destroyed. ...

Use terraform show terraform.tfstate to locate the IP address of your load balancer:

  • terraform show terraform.tfstate

You’ll find the IP under the www-lb entry:

Output
... # digitalocean_loadbalancer.www-lb: resource "digitalocean_loadbalancer" "www-lb" { algorithm = "round_robin" droplet_ids = [ your_www-1_droplet_id, your_www-2_droplet_id, ] enable_backend_keepalive = false enable_proxy_protocol = false id = "your_load_balancer_id" ip = "your_load_balaner_ip" name = "www-lb"

Navigate to http://your_load_balaner_ip in your browser and you’ll see an Nginx welcome screen, because the load balancer is sending traffic to one of the two Nginx servers.

The rest of the tutorial includes information about configuring DNS domain and record resources with Terraform, and information on how to use the other Terraform commands.

Step 7 — Creating DNS Domains and Records

Terraform can also create DNS domain and record domains. For example, if you want to point your domain to your load balancer, you can create a Terraform configuration file for that.

Note: Use your own, unique, domain name or this step will fail.

Create a new file to describe your DNS:

  • nano your_domain.tf

Insert the following domain resource:

your_domain.tf
resource "digitalocean_domain" "default" {
   name = "your_domain"
   ip_address = digitalocean_loadbalancer.www-lb.ip
}

And while we’re at it, let’s add a CNAME record that points www.your_domain to your_domain:

your_domain.tf
resource "digitalocean_record" "CNAME-www" {
  domain = digitalocean_domain.default.name
  type = "CNAME"
  name = "www"
  value = "@"
}

Save and exit.

To add the DNS entries, run terraform plan followed by terraform apply, as with the other resources.

Step 8 — Destroying Your Infrastructure

Although not commonly used in production environments, Terraform can also destroy infrastructures that it creates. This is mainly useful in development environments that are built and destroyed multiple times.

First, create an execution plan to destroy the infrastructure by using terraform plan -destroy like this:

  • terraform plan -destroy -out=terraform.tfplan \
  • -var "do_token=${DO_PAT}" \
  • -var "pvt_key=$HOME/.ssh/id_rsa" \

Terraform will output a plan with resources marked in red, and prefixed with a minus sign, indicating that it will delete the resources in your infrastructure.

Use terraform apply to run the plan:

  • terraform apply terraform.tfplan

Terraform will destroy the resources, as indicated in the destroy plan.

Conclusion

In this tutorial you used Terraform to build a load-balanced web infrastructure on DigitalOcean, with two Nginx web servers running behind a DigitalOcean Load Balancer. You know how to create and destroy resources, view the current state, and use Terraform to configure DNS entries.

Now that you understand how Terraform works, you can create configuration files that describe a server infrastructure for your own projects. The example in this tutorial is a good starting point that demonstrates how you can automate the deployment of servers. If you already use configuration management tools like Puppet or Chef, you can call those with Terraform’s provisioners to configure servers as part of their creation process instead of using the provisioning method used in this tutorial.

Terraform has many more features, and can work with other providers. Check out the official Terraform Documentation to learn more about how you can use Terraform to improve your own infrastructure.

Creative Commons License