August 1, 2024

A Step-by-Step Guide to Automating Your Astro Infrastructure with the Astro Terraform Provider

Bas Harenslak Staff Architect Astronomer

This tutorial demonstrates using the Astro Terraform Provider to automate the onboarding process for a new team by creating and managing an Astro workspace and deployment.

We recently released the official Astro Terraform Provider. Terraform is the industry-standard infrastructure-as-code tool to automate the creation and management of infrastructure.

The Astro Terraform provider brings significant value to organizations by enabling automated, consistent, and scalable management of your Astro infrastructure, reducing manual errors and improving efficiency. The provider currently supports several resources including clusters, workspaces, deployments, and team to workspace role mappings.

Getting Started With the Astro Terraform Provider

In this tutorial, I will guide you through using the Astro Terraform provider to automate the onboarding of a new team by creating and managing an Astro workspace and deployment. By the end of this tutorial, you will have a fully automated setup that is reproducible and easily scalable to more teams.

Create Your Terraform Working Directory

Create a folder for your Terraform project e.g. my-data-platform and save the following code in a file named terraform.tf:

terraform {
  required_providers {
    astro = {
      source  = "astronomer/astro"
      version = "0.3.0"
    }
  }
}

provider "astro" {
  organization_id = "... insert your organization id here ..."
}

Insert your organization's ID on line 11. The working directory will contain all your Terraform code, and all Terraform commands will be run from this directory.

Initialize the Terraform Working Directory

Run terraform init and you'll see Terraform downloading and installing the Astro Terraform provider to your local machine:

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding astronomer/astro versions matching "0.3.0"...
- Installing astronomer/astro v0.3.0...
- Installed astronomer/astro v0.3.0 (signed by a HashiCorp partner, key ID F5206453FDEA33CF)

...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

...

The versions and hashes of providers are stored in a (generated) file .terraform.lock.hcl. Store this file in version control.

Authenticating with Astro

For any automated action on Astro, you need an API token to authenticate. API tokens exist on different levels. Since we're going to create a workspace, we need an Organization API token with Organization Owner permissions. Create a token and ensure it's configured as an environment variable ASTRO_API_TOKEN when running Terraform commands:

export ASTRO_API_TOKEN=...

Define Resources in Terraform

In a file main.tf, define two resources, an astro_workspace and an astro_deployment. These resources will represent an Astro workspace and Astro deployment, defined in Terraform code:

# Create a new workspace
resource "astro_workspace" "my_first_tf_workspace" {
  name                  = "My first TF workspace"
  description           = "My first Terraform-created workspace"
  cicd_enforced_default = false
}

# Create a new deployment
resource "astro_deployment" "my_first_tf_deployment" {
  name                    = "My first TF deployment"
  description             = "My first Terraform-created deployment"
  type                    = "STANDARD"
  cloud_provider          = "AWS"
  region                  = "us-east-1"
  contact_emails          = []
  default_task_pod_cpu    = "0.25"
  default_task_pod_memory = "0.5Gi"
  executor                = "CELERY"
  is_cicd_enforced        = true
  is_dag_deploy_enabled   = true
  is_development_mode     = false
  is_high_availability    = false
  resource_quota_cpu      = "10"
  resource_quota_memory   = "20Gi"
  scheduler_size          = "SMALL"
  workspace_id            = astro_workspace.my_first_tf_workspace.id
  environment_variables   = []
  worker_queues = [{
    name               = "default"
    is_default         = true
    astro_machine      = "A5"
    max_worker_count   = 10
    min_worker_count   = 0
    worker_concurrency = 1
  }]
}

One of the key characteristics (and benefits) of using Terraform is that it's declarative. Take for example the line workspace_id = astro_workspace.my_first_tf_workspace.id; this tells Terraform to configure the workspace ID in the deployment. This means the workspace must be created first, producing an ID which is a generated value and unknown at the time of writing. We don't have to instruct Terraform to create resources in a certain order, we only have to instruct what to create. The resources above can be defined in any order. Terraform takes the relationships between resources into account when deciding the order of creating resources.

Define Outputs

And (optionally) in a file outputs.tf, define values you'd like to log after creating the infrastructure. We'll output the workspace and deployment IDs:

output "terraform_workspace" {
  description = "ID of the TF created workspace"
  value       = astro_workspace.my_first_tf_workspace.id
}

output "terraform_deployment" {
  description = "ID of the TF created deployment"
  value       = astro_deployment.my_first_tf_deployment.id
}

Showing output values is not necessary in this case, but provides us (humans) information about created resources.

Preview the Terraform changes

You should now have 3 files:

terraform.tf
main.tf
outputs.tf (optional)

Run terraform plan to let Terraform create an execution plan and preview the infrastructure changes that Terraform will make. You'll see the following text:

$ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # astro_deployment.my_first_tf_deployment will be created
  + resource "astro_deployment" "my_first_tf_deployment" {
      ...
    }

  # astro_workspace.my_first_tf_workspace will be created
  + resource "astro_workspace" "my_first_tf_workspace" {
      ...
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + terraform_deployment = (known after apply)
  + terraform_workspace  = (known after apply)

The key message to look for is "Plan: 2 to add, 0 to change, 0 to destroy.", which validates that we're about to create two resources, which are the workspace and deployment as defined in main.tf.

Apply the Terraform Plan

Next, run terraform apply and select yes to execute the plan. This creates the Astro resources and will print their ids, as we defined in outputs.tf:

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

...

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

astro_workspace.my_first_tf_workspace: Creating...
astro_workspace.my_first_tf_workspace: Creation complete after 0s [id=clxn24vhy0as101ohmeg9i72o]
astro_deployment.my_first_tf_deployment: Creating...
astro_deployment.my_first_tf_deployment: Creation complete after 1s [id=clxn24vs00afv01ot12ph6ejb]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

terraform_deployment = "clxn24vs00afv01ot12ph6ejb"
terraform_workspace = "clxn24vhy0as101ohmeg9i72o"

The resources were created and will now be visible in Astro:

Cleaning Up Terraform-Created Resources

Finally, to clean up the resources, run terraform destroy and select yes:

$ terraform destroy
astro_workspace.my_first_tf_workspace: Refreshing state...
  [id=clxn24vhy0as101ohmeg9i72o]
astro_deployment.my_first_tf_deployment: Refreshing state...
  [id=clxn24vs00afv01ot12ph6ejb]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  ...

Plan: 0 to add, 0 to change, 2 to destroy.

Changes to Outputs:
  - terraform_deployment = "clxn24vs00afv01ot12ph6ejb" -> null
  - terraform_workspace  = "clxn24vhy0as101ohmeg9i72o" -> null

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

astro_deployment.my_first_tf_deployment: Destroying...
  [id=clxn24vs00afv01ot12ph6ejb]
astro_deployment.my_first_tf_deployment: Destruction complete after 1s
astro_workspace.my_first_tf_workspace: Destroying...
  [id=clxn24vhy0as101ohmeg9i72o]
astro_workspace.my_first_tf_workspace: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

The output shows two destroyed resources which are the workspace and deployment that we first created.

Conclusion

Terraform is an invaluable tool to platform teams who manage infrastructure for development teams. Just by running terraform apply, we created a workspace and deployment in seconds. Since those resources are defined in code, we can repeat those steps for additional teams and get new teams up and running quickly. Manually configuring such resources in a UI is error-prone and time-consuming so it always a good idea to automate infrastructure when you plan on repeating work more than once.

For more information about the Astro Terraform provider, check out:

Additionally, Astronomer offers several other tools to support infrastructure automation:

Astro CLI: https://docs.astronomer.io/astro/cli/overview
Astro REST API: https://docs.astronomer.io/api
Deployments as code: https://docs.astronomer.io/astro/manage-deployments-as-code
Astro GitHub integration: https://docs.astronomer.io/astro/deploy-github-integration