source ''
gem "less", "~> 2.5.0"
gem "middleman", "~> 3.3.2"
gem "middleman-minify-html", "~> 3.1.1"
gem "rack-contrib", "~> 1.1.0"
gem "redcarpet", "~> 3.0.0"
gem "therubyracer", "~> 0.12.0"
gem "thin", "~> 1.5.0"
group :development do
gem "highline", "~> 1.6.15"
activesupport (4.0.4)
i18n (~> 0.6, >= 0.6.9)
minitest (~> 4.2)
multi_json (~> 1.3)
thread_safe (~> 0.1)
tzinfo (~> 0.3.37)
chunky_png (1.3.0)
coffee-script (2.2.0)
coffee-script-source (1.7.0)
commonjs (0.2.7)
compass (0.12.5)
chunky_png (~> 1.2)
fssm (>= 0.2.7)
sass (~> 3.2.19)
compass-import-once (1.0.4)
sass (>= 3.2, < 3.5)
daemons (1.1.9)
erubis (2.7.0)
eventmachine (1.0.3)
execjs (2.0.2)
ffi (1.9.3)
fssm (0.2.10)
haml (4.0.5)
highline (1.6.21)
hike (1.2.3)
hooks (0.4.0)
uber (~> 0.0.4)
i18n (0.6.9)
json (1.8.1)
kramdown (1.3.3)
less (2.5.0)
commonjs (~> 0.2.7)
libv8 (
listen (1.3.1)
rb-fsevent (>= 0.9.3)
rb-inotify (>= 0.9)
rb-kqueue (>= 0.2)
middleman (3.3.2)
coffee-script (~> 2.2.0)
compass (>= 0.12.4)
compass-import-once (~> 1.0.4)
execjs (~> 2.0)
haml (>= 4.0.5)
kramdown (~> 1.2)
middleman-core (= 3.3.2)
middleman-sprockets (>= 3.1.2)
sass (>= 3.2.17, < 4.0)
uglifier (~> 2.5)
middleman-core (3.3.2)
activesupport (~> 4.0.1)
bundler (~> 1.1)
hooks (~> 0.3)
i18n (~> 0.6.9)
listen (~> 1.1)
padrino-helpers (~> 0.12.1)
rack (>= 1.4.5, < 2.0)
rack-test (~> 0.6.2)
thor (>= 0.15.2, < 2.0)
tilt (~> 1.4.1, < 2.0)
middleman-minify-html (3.1.1)
middleman-core (~> 3.0)
middleman-sprockets (3.3.2)
middleman-core (>= 3.2)
sprockets (~> 2.2)
sprockets-helpers (~> 1.1.0)
sprockets-sass (~> 1.0.0)
minitest (4.7.5)
multi_json (1.9.2)
padrino-helpers (0.12.1)
i18n (~> 0.6, >= 0.6.7)
padrino-support (= 0.12.1)
tilt (~> 1.4.1)
padrino-support (0.12.1)
activesupport (>= 3.1)
rack (1.5.2)
rack-contrib (1.1.0)
rack (>= 0.9.1)
rack-test (0.6.2)
rack (>= 1.0)
rb-fsevent (0.9.4)
rb-inotify (0.9.3)
ffi (>= 0.5.0)
rb-kqueue (0.2.2)
ffi (>= 0.5.0)
redcarpet (3.0.0)
ref (1.0.5)
sass (3.2.19)
sprockets (2.12.0)
hike (~> 1.2)
multi_json (~> 1.0)
rack (~> 1.0)
tilt (~> 1.1, != 1.3.0)
sprockets-helpers (1.1.0)
sprockets (~> 2.0)
sprockets-sass (1.0.3)
sprockets (~> 2.0)
tilt (~> 1.1)
therubyracer (0.12.1)
libv8 (~>
thin (1.5.1)
daemons (>= 1.0.9)
eventmachine (>= 0.12.6)
rack (>= 1.0.0)
thor (0.19.1)
thread_safe (0.3.3)
tilt (1.4.1)
tzinfo (0.3.39)
uber (0.0.4)
uglifier (2.5.0)
execjs (>= 0.3.0)
json (>= 1.8.0)
highline (~> 1.6.15)
less (~> 2.5.0)
middleman (~> 3.3.2)
middleman-minify-html (~> 3.1.1)
rack-contrib (~> 1.1.0)
redcarpet (~> 3.0.0)
therubyracer (~> 0.12.0)
thin (~> 1.5.0)
# Proprietary License
This license is temporary while a more official one is drafted. However,
this should make it clear:
* The text contents of this website are MPL 2.0 licensed.
* The design contents of this website are proprietary and may not be reproduced
or reused in any way other than to run the Terraform website locally. The license
for the design is owned solely by HashiCorp, Inc.
# Terraform Website
This subdirectory contains the entire source for the [Terraform Website](
This is a [Middleman]( project, which builds a static
site from these source files.
## Contributions Welcome!
If you find a typo or you feel like you can improve the HTML, CSS, or
JavaScript, we welcome contributions. Feel free to open issues or pull
requests like any normal GitHub project, and we'll merge it in.
## Running the Site Locally
Running the site locally is simple. Clone this repo and run the following
$ bundle
$ bundle exec middleman server
Then open up `localhost:4567`. Note that some URLs you may need to append
".html" to make them work (in the navigation and such).
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
$script = <<SCRIPT
sudo apt-get -y update
sudo apt-get -y install curl
curl -sSL | bash -s stable
. ~/.bashrc
. ~/.bash_profile
rvm install 2.0.0
rvm --default use 2.0.0
cd /vagrant
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
|||| = "chef/ubuntu-12.04"
|||| "private_network", ip: ""
config.vm.provision "shell", inline: $script, privileged: false
config.vm.synced_folder ".", "/vagrant", type: "rsync"
# Configure Middleman
set :css_dir, 'stylesheets'
set :js_dir, 'javascripts'
set :images_dir, 'images'
# Use the RedCarpet Markdown engine
set :markdown_engine, :redcarpet
set :markdown,
:fenced_code_blocks => true,
:with_toc_data => true
# Build-specific configuration
configure :build do
activate :asset_hash
activate :minify_html
activate :minify_javascript
require "rack"
require "rack/contrib/not_found"
require "rack/contrib/response_headers"
require "rack/contrib/static_cache"
require "rack/contrib/try_static"
# Properly compress the output if the client can handle it.
use Rack::Deflater
# Set the "forever expire" cache headers for these static assets. Since
# we hash the contents of the assets to determine filenames, this is safe
# to do.
use Rack::StaticCache,
:root => "build",
:urls => ["/images", "/javascripts", "/stylesheets"],
:duration => 2,
:versioning => false
# Try to find a static file that matches our request, since Middleman
# statically generates everything.
use Rack::TryStatic,
:root => "build",
:urls => ["/"],
:try => [".html", "index.html", "/index.html"]
# 404 if we reached this point. Sad times.
run"../build/404.html", __FILE__))
This file doesn't do anything, but we periodically update the number
below just to force being able to deploy the website again.
@ -0,0 +1,67 @@
require "net/http"
$terraform_files = {}
$terraform_os = []
raise "BINTRAY_API_KEY must be set." if !ENV["BINTRAY_API_KEY"]
http ="", 80)
req ="/mitchellh/terraform/")
req.basic_auth "mitchellh", ENV["BINTRAY_API_KEY"]
response = http.request(req)
response.body.split("\n").each do |line|
next if line !~ /\/mitchellh\/terraform\/(#{Regexp.quote(ENV["CONSUL_VERSION"])}.+?)'/
filename = $1.to_s
os = filename.split("_")[1]
next if os == "SHA256SUMS"
next if os == "web"
$terraform_files[os] ||= []
$terraform_files[os] << filename
$terraform_os = ["darwin", "linux", "windows"] & $consul_files.keys
$terraform_os += $consul_files.keys
$terraform_files.each do |key, value|
module DownloadHelpers
def download_arch(file)
parts = file.split("_")
return "" if parts.length != 3
def download_os_human(os)
if os == "darwin"
return "Mac OS X"
elsif os == "freebsd"
return "FreeBSD"
elsif os == "openbsd"
return "OpenBSD"
elsif os == "Linux"
return "Linux"
elsif os == "windows"
return "Windows"
return os
def download_url(file)
def ui_download_url
def latest_version
module SidebarHelpers
# This helps by setting the "active" class for sidebar nav elements
# if the YAML frontmatter matches the expected value.
def sidebar_current(expected)
current = || ""
if current.start_with?(expected)
return " class=\"active\""
return ""
Normal file
@ -0,0 +1,2 @@
# Source folder
Normal file
@ -0,0 +1 @@
<h2>Page Not Found</h2>
Normal file
@ -0,0 +1,69 @@
module.exports = function(grunt) {
// Configuration goes here
less: {
files: {
"stylesheets/main.css": "stylesheets/main.less"
concat: {
options: {
separator: ';'
site: {
src: [
dest: 'javascripts/app/deploy/site.js'
uglify: {
app: {
files: {
'javascripts/app/deploy/site.min.js': ['javascripts/app/deploy/site.js']
watch: {
less: {
files: 'stylesheets/*.less',
tasks: ['less']
js: {
files: 'javascripts/app/*.js',
tasks: ['concat', 'uglify']
// Load plugins here
// JS distribution task.
grunt.registerTask('dist-js', ['concat', 'uglify']);
// Full distribution task.
grunt.registerTask('dist', ['dist-js']);
grunt.registerTask('default', ['watch']);
page_title: "Community"
<div class="container">
<div class="col-md-8 col-md-offset-2">
<div class="bs-docs-section">
Terraform is a new project with a growing community. Despite this,
there are active, dedicated users willing to help you through various
<strong>IRC:</strong> <code>#terraform</code> on Freenode
<strong>Mailing list:</strong>
<a href="">Terraform Google Group</a>
<strong>Bug Tracker:</strong>
<a href="">Issue tracker
on GitHub</a>. Please only use this for reporting bugs. Do not ask
for general help here. Use IRC or the mailing list for that.
The following people are some of the faces behind Terraform. They each
contribute to Terraform in some core way. Over time, faces may appear and
disappear from this list as contributors come and go.
<div class="people">
<div class="person">
<img class="pull-left" src="">
<div class="bio">
<h3>Armon Dadgar (<a href="">@armon</a>)</h3>
Armon Dadgar is the creator of Terraform. He researched and developed
most of the internals of how Terraform works, including the
gossip layer, leader election, etc. Armon is also the creator of
<a href="">Serf</a>,
<a href="">Statsite</a>, and
<a href="">Bloomd</a>.
<div class="person">
<img class="pull-left" src="">
<div class="bio">
<h3>Mitchell Hashimoto (<a href="">@mitchellh</a>)</h3>
Mitchell Hashimoto is a co-creator of Terraform. He primarily took
a management role in the creation of Terraform, guiding product
and user experience decisions on top of Armon's technical decisions.
Mitchell Hashimoto is also the creator of
<a href="">Vagrant</a>,
<a href="">Packer</a>, and
<a href="">Serf</a>.
<div class="person">
<img class="pull-left" src="">
<div class="bio">
<h3>Jack Pearkes (<a href="">@pearkes</a>)</h3>
Jack Pearkes created and maintains the Terraform web UI.
He is also a core committer to
<a href="">Packer</a> and maintains
many successful
<a href="">open source projects</a>
while also being an employee of
<a href="">HashiCorp</a>.
<div class="person">
<img class="pull-left" src="//">
<div class="bio">
<h3>William Tisäter (<a href="">@tiwilliam</a>)</h3>
<p>William Tisäter is a Terraform core committer. He is also maintainer of <a href="">pygeoip</a> and build things daily at <a href="">Tictail</a>.</p>
<div class="clearfix"></div>
layout: "docs"
page_title: "Agent"
sidebar_current: "docs-agent-running"
# Terraform Agent
The Terraform agent is the core process of Terraform. The agent maintains membership
information, registers services, runs checks, responds to queries
and more. The agent must run on every node that is part of a Terraform cluster.
Any Agent may run in one of two modes: client or server. A server
node takes on the additional responsibility of being part of the [consensus quorum](#).
These nodes take part in Raft, and provide strong consistency and availability in
the case of failure. The higher burden on the server nodes means that usually they
should be run on dedicated instances, as they are more resource intensive than a client
node. Client nodes make up the majority of the cluster, and they are very lightweight
as they maintain very little state and interface with the server nodes for most operations.
## Running an Agent
The agent is started with the `terraform agent` command. This command blocks,
running forever or until told to quit. The agent command takes a variety
of configuration options but the defaults are usually good enough. When
running `terraform agent`, you should see output similar to that below:
$ terraform agent -data-dir=/tmp/terraform
==> Starting Terraform agent...
==> Starting Terraform agent RPC...
==> Terraform agent running!
Node name: 'Armons-MacBook-Air'
Datacenter: 'dc1'
Server: false (bootstrap: false)
Client Addr: (HTTP: 8500, DNS: 8600, RPC: 8400)
Cluster Addr: (LAN: 8301, WAN: 8302)
==> Log data will now stream in as it occurs:
[INFO] serf: EventMemberJoin: Armons-MacBook-Air.local
There are several important components that `terraform agent` outputs:
* **Node name**: This is a unique name for the agent. By default this
is the hostname of the machine, but you may customize it to whatever
you'd like using the `-node` flag.
* **Datacenter**: This is the datacenter the agent is configured to run
in. Terraform has first-class support for multiple datacenters, but to work efficiently
each node must be configured to correctly report its datacenter. The `-dc` flag
can be used to set the datacenter. For single-DC configurations, the agent
will default to "dc1".
* **Server**: This shows if the agent is running in the server or client mode.
Server nodes have the extra burden of participating in the consensus quorum,
storing cluster state, and handling queries. Additionally, a server may be
in "bootstrap" mode. The first server must be in this mode to allow additional
servers to join the cluster. Multiple servers cannot be in bootstrap mode,
otherwise the cluster state will be inconsistent.
* **Client Addr**: This is the address used for client interfaces to the agent.
This includes the ports for the HTTP, DNS, and RPC interfaces. The RPC
address is used for other `terraform` commands. Other Terraform commands such
as `terraform members` connect to a running agent and use RPC to query and
control the agent. By default, this binds only to localhost. If you
change this address or port, you'll have to specify an `-rpc-addr` to commands
such as `terraform members` so they know how to talk to the agent. This is also
the address other applications can use over [RPC to control Terraform](/docs/agent/rpc.html).
* **Cluster Addr**: This is the address and ports used for communication between
Terraform agents in a cluster. Every Terraform agent in a cluster does not have to
use the same port, but this address **MUST** be reachable by all other nodes.
## Stopping an Agent
An agent can be stopped in two ways: gracefully or forcefully. To gracefully
halt an agent, send the process an interrupt signal, which is usually
`Ctrl-C` from a terminal. When gracefully exiting, the agent first notifies
the cluster it intends to leave the cluster. This way, other cluster members
notify the cluster that the node has _left_.
Alternatively, you can force kill the agent by sending it a kill signal.
When force killed, the agent ends immediately. The rest of the cluster will
eventually (usually within seconds) detect that the node has died and will
notify the cluster that the node has _failed_.
It is especially important that a server node be allowed to gracefully leave,
so that there will be a minimal impact on availability as the server leaves
the consensus quorum.
For client agents, the difference between a node _failing_ and a node _leaving_
may not be important for your use case. For example, for a web server and load
balancer setup, both result in the same action: remove the web node
from the load balancer pool. But for other situations, you may handle
each scenario differently.
layout: "docs"
page_title: "Commands: Agent"
sidebar_current: "docs-commands-agent"
# Terraform Agent
The `terraform agent` command is the heart of Terraform: it runs the agent that
performs the important task of maintaining membership information,
running checks, announcing services, handling queries, etc.
Due to the power and flexibility of this command, the Terraform agent
is documented in its own section. See the [Terraform Agent](/docs/agent/basics.html)
section for more information on how to use this command and the
options it has.
layout: "docs"
page_title: "Adding/Removing Servers"
sidebar_current: "docs-guides-servers"
# Adding/Removing Servers
Terraform is designed to require minimal operator involvement, however any changes
to the set of Terraform servers must be handled carefully. To better understand
why, reading about the [consensus protocol](/docs/internals/consensus.html) will
be useful. In short, the Terraform servers perform leader election and replication.
For changes to be processed, a minimum quorum of servers (N/2)+1 must be available.
That means if there are 3 server nodes, at least 2 must be available.
In general, if you are ever adding and removing nodes simultaneously, it is better
to first add the new nodes and then remove the old nodes.
## Adding New Servers
Adding new servers is generally straightforward. After the initial server, no further
servers should ever be started with the `-bootstrap` flag. Instead, simply start the new
server with the `-server` flag. At this point, the server will not be a member of
any cluster, and should emit something like:
[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election.
This means that it does not know about any peers and is not configured to elect itself.
This is expected, and we can now add this node to the existing cluster using `join`.
From the new server, we can join any member of the existing cluster:
$ terraform join <Node Address>
Successfully joined cluster by contacting 1 nodes.
It is important to note that any node, including a non-server may be specified for
join. The gossip protocol is used to properly discover all the nodes in the cluster.
Once the node has joined, the existing cluster leader should log something like:
[INFO] raft: Added peer, starting replication
This means that raft, the underlying consensus protocol, has added the peer and begun
replicating state. Since the existing cluster may be very far ahead, it can take some
time for the new node to catch up. To check on this, run `info` on the leader:
$ terraform info
applied_index = 47244
commit_index = 47244
fsm_pending = 0
last_log_index = 47244
last_log_term = 21
last_snapshot_index = 40966
last_snapshot_term = 20
num_peers = 2
state = Leader
term = 21
This will provide various information about the state of Raft. In particular
the `last_log_index` shows the last log that is on disk. The same `info` command
can be run on the new server to see how far behind it is. Eventually the server
will be caught up, and the values should match.
It is best to add servers one at a time, allowing them to catch up. This avoids
the possibility of data loss in case the existing servers fail while bringing
the new servers up-to-date.
## Removing Servers
Removing servers must be done carefully to avoid causing an availability outage.
For a cluster of N servers, at least (N/2)+1 must be available for the cluster
to functions. See this [deployment table](/docs/internals/consensus.html#toc_3).
If you have 3 servers, and 1 of them is currently failed, removing any servers
will cause the cluster to become unavailable.
To avoid this, it may be necessary to first add new servers to the cluster,
increasing the failure tolerance of the cluster, and then to remove old servers.
Even if all 3 nodes are functioning, removing one leaves the cluster in a state
that cannot tolerate the failure of any node.
Once you have verified the existing servers are healthy, and that the cluster
can handle a node leaving, the actual process is simple. You simply issue a
`leave` command to the server.
The server leaving should contain logs like:
[INFO] terraform: server starting leave
[INFO] raft: Removed ourself, transitioning to follower
The leader should also emit various logs including:
[INFO] terraform: member 'node-10-0-1-8' left, deregistering
[INFO] raft: Removed peer, stopping replication
At this point the node has been gracefully removed from the cluster, and
will shut down.
## Forced Removal
In some cases, it may not be possible to gracefully remove a server. For example,
if the server simply fails, then there is no ability to issue a leave. Instead,
the cluster will detect the failure and replication will continuously retry.
If the server can be recovered, it is best to bring it back online and then gracefully
leave the cluster. However, if this is not a possibility, then the `force-leave` command
can be used to force removal of a server.
This is done by invoking that command with the name of the failed node. At this point,
the cluster leader will mark the node as having left the cluster and it will stop attempting
to replicate.
layout: "docs"
page_title: "Documentation"
sidebar_current: "docs-home"
# Terraform Documentation
Welcome to the Terraform documentation! This documentation is more of a reference
guide for all available features and options of Terraform. If you're just getting
started with Terraform, please start with the
[introduction and getting started guide](/intro/index.html) instead.
layout: "docs"
page_title: "Terraform Architecture"
sidebar_current: "docs-internals-architecture"
# Terraform Architecture
Terraform is a complex system that has many different moving parts. To help
users and developers of Terraform form a mental model of how it works, this
page documents the system architecture.
<div class="alert alert-block alert-warning">
<strong>Advanced Topic!</strong> This page covers technical details of
the internals of Terraform. You don't need to know these details to effectively
operate and use Terraform. These details are documented here for those who wish
to learn about them without having to go spelunking through the source code.
## Glossary
Before describing the architecture, we provide a glossary of terms to help
clarify what is being discussed:
* Agent - An agent is the long running daemon on every member of the Terraform cluster.
It is started by running `terraform agent`. The agent is able to run in either *client*,
or *server* mode. Since all nodes must be running an agent, it is simpler to refer to
the node as either being a client or server, but there are other instances of the agent. All
agents can run the DNS or HTTP interfaces, and are responsible for running checks and
keeping services in sync.
* Client - A client is an agent that forwards all RPCs to a server. The client is relatively
stateless. The only background activity a client performs is taking part of LAN gossip pool.
This has a minimal resource overhead and consumes only a small amount of network bandwidth.
* Server - An agent that is server mode. When in server mode, there is an expanded set
of responsibilities including participating in the Raft quorum, maintaining cluster state,
responding to RPC queries, WAN gossip to other datacenters, and forwarding queries to leaders
or remote datacenters.
* Datacenter - A datacenter seems obvious, but there are subtle details such as multiple
availability zones in EC2. We define a datacenter to be a networking environment that is
private, low latency, and high bandwidth. This excludes communication that would traverse
the public internet.
* Consensus - When used in our documentation we use consensus to mean agreement upon
the elected leader as well as agreement on the ordering of transactions. Since these
transactions are applied to a FSM, we implicitly include the consistency of a replicated
state machine. Consensus is described in more detail on [Wikipedia](,
as well as our [implementation here](/docs/internals/consensus.html).
* Gossip - Terraform is built on top of [Serf](, which provides a full
[gossip protocol]( that is used for multiple purposes.
Serf provides membership, failure detection, and event broadcast mechanisms. Our use of these
is described more in the [gossip documentation](/docs/internals/gossip.html). It is enough to know
gossip involves random node-to-node communication, primarily over UDP.
* LAN Gossip - This is used to mean that there is a gossip pool, containing nodes that
are all located on the same local area network or datacenter.
* WAN Gossip - This is used to mean that there is a gossip pool, containing servers that
are primary located in different datacenters and must communicate over the internet or
wide area network.
* RPC - RPC is short for a Remote Procedure Call. This is a request / response mechanism
allowing a client to make a request from a server.
## 10,000 foot view
From a 10,000 foot altitude the architecture of Terraform looks like this:

Lets break down this image and describe each piece. First of all we can see
that there are two datacenters, one and two respectively. Terraform has first
class support for multiple datacenters and expects this to be the common case.
Within each datacenter we have a mixture of clients and servers. It is expected
that there be between three to five servers. This strikes a balance between
availability in the case of failure and performance, as consensus gets progressively
slower as more machines are added. However, there is no limit to the number of clients,
and they can easily scale into the thousands or tens of thousands.
All the nodes that are in a datacenter participate in a [gossip protocol](/docs/internals/gossip.html).
This means there is a gossip pool that contains all the nodes for a given datacenter. This serves
a few purposes: first, there is no need to configure clients with the addresses of servers,
discovery is done automatically. Second, the work of detecting node failures
is not placed on the servers but is distributed. This makes the failure detection much more
scalable than naive heartbeating schemes. Thirdly, it is used as a messaging layer to notify
when important events such as leader election take place.
The servers in each datacenter are all part of a single Raft peer set. This means that
they work together to elect a leader, which has extra duties. The leader is responsible for
processing all queries and transactions. Transactions must also be replicated to all peers
as part of the [consensus protocol](/docs/internals/consensus.html). Because of this requirement,
when a non-leader server receives an RPC request it forwards it to the cluster leader.
The server nodes also operate as part of a WAN gossip. This pool is different from the LAN pool,
as it is optimized for the higher latency of the internet, and is expected to only contain
other Terraform server nodes. The purpose of this pool is to allow datacenters to discover each
other in a low touch manner. Bringing a new datacenter online is as easy as joining the existing
WAN gossip. Because the servers are all operating in this pool, it also enables cross-datacenter requests.
When a server receives a request for a different datacenter, it forwards it to a random server
in the correct datacenter. That server may then forward to the local leader.
This results in a very low coupling between datacenters, but because of failure detection,
connection caching and multiplexing, cross-datacenter requests are relatively fast and reliable.
## Getting in depth
At this point we've covered the high level architecture of Terraform, but there are much
more details to each of the sub-systems. The [consensus protocol](/docs/internals/consensus.html) is
documented in detail, as is the [gossip protocol](/docs/internals/gossip.html). The [documentation](/docs/internals/security.html)
for the security model and protocols used are also available.
For other details, either terraformt the code, ask in IRC or reach out to the mailing list.
Normal file
@ -0,0 +1,46 @@
layout: "downloads"
page_title: "Download Terraform"
sidebar_current: "downloads-terraform"
<h1>Download Terraform</h1>
<section class="downloads">
<div class="description row">
<div class="col-md-12">
Below are all available downloads for the latest version of Terraform
(<%= latest_version %>). Please download the proper package for your
operating system and architecture. You can find SHA256 checksums
for packages <a href="<%= latest_version %>_SHA256SUMS?direct">here</a>.
<% $terraform_os.each do |os| %>
<div class="row">
<div class="col-md-12 download">
<div class="icon pull-left"><%= image_tag "/images/icons/icon_#{os}.png" %>
<div class="details">
<h2 class="os-name"><%= download_os_human(os) %></h2>
<% $terraform_files[os].each do |file| %>
<li><a href="<%= download_url(file) %>"><%= download_arch(file) %></a></li>
<% end %>
<div class="clearfix">
<% end %>
<div class="row">
<div class="col-md-12 poweredby">
<a href=''>
<img src=''>
Normal file
sidebar_current: "downloads-ui"
<h1>Download Terraform Web UI</h1>
<section class="downloads">
<div class="description row">
<div class="col-md-12">
From this page you can download the web UI for Terraform. This is
distributed as a separate ZIP package. You can view a
<a href="">demo of the web UI here</a> or
you can
<a href="/intro/getting-started/ui.html">read the docs on how to set up the UI here</a>.
<p class="center">
<a class="btn btn-default btn-lg" href="<%= ui_download_url %>">
Download Terraform Web UI <%= latest_version %></a>
<div class="row">
<div class="col-md-12 poweredby">
<a href=''>
<img src=''>
Normal file
After Width: | Height: | Size: 45 KiB |
Normal file
After Width: | Height: | Size: 8.4 KiB |
Normal file
After Width: | Height: | Size: 24 KiB |
Normal file
After Width: | Height: | Size: 2.0 KiB |
Normal file
After Width: | Height: | Size: 3.7 KiB |
Normal file
After Width: | Height: | Size: 7.7 KiB |
Normal file
After Width: | Height: | Size: 19 KiB |
Normal file
After Width: | Height: | Size: 34 KiB |
Normal file
After Width: | Height: | Size: 80 KiB |
Normal file
After Width: | Height: | Size: 3.6 KiB |
Normal file
After Width: | Height: | Size: 1.9 KiB |
Normal file
After Width: | Height: | Size: 2.8 KiB |
Normal file
After Width: | Height: | Size: 10 KiB |
Normal file
After Width: | Height: | Size: 22 KiB |
Normal file
After Width: | Height: | Size: 4.3 KiB |
Normal file
After Width: | Height: | Size: 9.9 KiB |
Normal file
After Width: | Height: | Size: 9.8 KiB |
Normal file
After Width: | Height: | Size: 20 KiB |
Normal file
After Width: | Height: | Size: 1.0 KiB |
Normal file
After Width: | Height: | Size: 1.4 KiB |
Normal file
After Width: | Height: | Size: 45 KiB |
Normal file
After Width: | Height: | Size: 134 KiB |
Normal file
After Width: | Height: | Size: 73 KiB |
Normal file
After Width: | Height: | Size: 240 KiB |
Normal file
After Width: | Height: | Size: 802 B |
Normal file
After Width: | Height: | Size: 1.5 KiB |
Normal file
After Width: | Height: | Size: 281 B |
Normal file
After Width: | Height: | Size: 590 B |
Normal file
After Width: | Height: | Size: 1.1 KiB |
Normal file
After Width: | Height: | Size: 1.9 KiB |
Normal file
After Width: | Height: | Size: 361 B |
Normal file
After Width: | Height: | Size: 687 B |
Normal file
After Width: | Height: | Size: 179 B |
Normal file
After Width: | Height: | Size: 308 B |
Normal file
After Width: | Height: | Size: 9.9 KiB |
<!-- Main jumbotron for a primary marketing message or call to action -->
<div id="jumbotron-mask">
<div id="jumbotron">
<div class="container">
<div class="col-lg-6 col-md-6">
<h2 class="rls-l">
Service discovery and configuration made easy.
Distributed, highly available, and
<div class="jumbo-logo-wrap col-lg-offset-1 col-lg-5 col-md-6 hidden-xs hidden-sm">
<div class="jumbo-logo"></div>
<!-- <p><a class="btn btn-primary btn-lg">Learn more »</a></p> -->
<div class="jumbotron-dots"></div>
<div id="features">
<div class="container">
<div class="row double-row">
<div class="col-lg-6 col-md-6">
<div class="row">
<div class="col-lg-5 col-md-5">
<span class="icn discovery"></span>
<div class="col-lg-7 col-md-7">
<h2>Service Discovery</h2>
Terraform makes it simple for services to register themselves
and to discover other services via a DNS or HTTP interface.
Register external services such as SaaS providers as well.</p>
<div class="col-lg-6 col-md-6">
<div class="row">
<div class="col-lg-5 col-md-5">
<span class="icn health"></span>
<div class="col-lg-7 col-md-7">
<h2>Failure Detection</h2>
<p>Pairing service discovery with health checking prevents routing requests to unhealthy hosts and enables services to easily provide circuit breakers.</p>
<div class="row double-row">
<div class="col-lg-6 col-md-6">
<div class="row">
<div class="col-lg-5 col-md-5">
<span class="icn multi"></span>
<div class="col-lg-7 col-md-7">
<h2>Multi Datacenter</h2>
<p>Terraform scales to multiple datacenters out of the box with no complicated configuration. Look up services in other datacenters, or keep the request local.</p>
<div class="col-lg-6 col-md-6">
<div class="row">
<div class="col-lg-5 col-md-5">
<span class="icn config"></span>
<div class="col-lg-7 col-md-7">
<h2>Key/Value Storage</h2>
<p>Flexible key/value store for dynamic configuration, feature flagging, coordination, leader election and more. Long poll for near-instant notification of configuration changes.</p>
</div> <!-- /container -->
</div> <!-- /features -->
<div id="demos">
<div class="container">
<div class="terminals row">
<div class="col-xs-12 col-lg-12 explantion">
<h2>DNS Query Interface</h2>
Look up services using Terraform's built-in DNS server. Support
existing infrastructure without any code change.
<div class="terminal-item col-xs-12 col-lg-12">
<div class="terminal">
<ul class='shell-dots'>
<div class="terminal-window">
<div class="terminal">
<div class="display">
<p class="command"><span class="txt-r">admin@hashicorp</span>: dig web-frontend.service.terraform. ANY</p>
<p>; <<>> DiG 9.8.3-P1 <<>> web-frontend.service.terraform. ANY</p>
<p>;; global options: +cmd</p>
<p> </p>
<p>;; Got answer:</p>
<p>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29981</p>
<p>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0</p>
<p> </p>
<p>;web-frontend.service.terraform. IN ANY</p>
<p> </p>
<p>web-frontend.service.terraform. 0 IN A <span class="txt-p"></span></p>
<p>web-frontend.service.terraform. 0 IN A <span class="txt-p"></span></p>
<p class="command"><span class="txt-r">admin@hashicorp</span>: <span class="cursor"> </span></p>
</div> <!-- /.terminal-item -->
<div class="col-xs-12 col-lg-12 explantion">
<h2>Key Value Storage</h2>
Terraform provides a hierarchical key/value store with a simple HTTP API.
Managing configuration has never been simpler.
<div class="terminal-item col-xs-12 col-lg-12">
<div class="terminal">
<ul class='shell-dots'>
<div class="terminal-window">
<div class="terminal">
<div class="display">
<p class="command"><span class="txt-r">admin@hashicorp</span>: curl -X PUT -d 'bar' http://localhost:8500/v1/kv/foo</p>
<p class="command"><span class="txt-r">admin@hashicorp</span>: curl http://localhost:8500/v1/kv/foo</p>
<p> {</p>
<p> "CreateIndex": 100,</p>
<p> "ModifyIndex": 200,</p>
<p> "Key": "foo",</p>
<p> "Flags": 0,</p>
<p> "Value": <span class="txt-p">"YmFy"</span></p>
<p> }</p>
<p class="command"><span class="txt-r">admin@hashicorp</span>: <span class="cursor"> </span></p>
</div> <!-- /.terminal-item -->
</div><!-- /#demos -->
<div id="cta">
<div class="container">
<div class="row">
<div class="intro">
<div class="left col-xs-12 col-sm-offset-2 col-sm-4">
<p>The intro and getting started guide contain
a simple and approachable walkthrough for running Terraform locally.</p>
<div class="col-xs-offset-5 col-xs-12 col-sm-6 col-sm-offset-0 right">
<a class="outline-btn purple" href="/intro/index.html">Read the intro »</a>
layout: "intro"
page_title: "Run the Agent"
sidebar_current: "gettingstarted-agent"
# Run the Terraform Agent
After Terraform is installed, the agent must be run. The agent can either run
in a server or client mode. Each datacenter must have at least one server,
although 3 or 5 is recommended. A single server deployment is _**highly**_ discouraged
as data loss is inevitable in a failure scenario. [This guide](/docs/guides/bootstrapping.html)
covers bootstrapping a new datacenter. All other agents run in client mode, which
is a very lightweight process that registers services, runs health checks,
and forwards queries to servers. The agent must be run for every node that
will be part of the cluster.
## Starting the Agent
For simplicity, we'll run a single Terraform agent in server mode right now:
$ terraform agent -server -bootstrap -data-dir /tmp/consul
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> WARNING: It is highly recommended to set GOMAXPROCS higher than 1
==> Starting Terraform agent...
==> Starting Terraform agent RPC...
==> Terraform agent running!
Node name: 'Armons-MacBook-Air'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: (HTTP: 8500, DNS: 8600, RPC: 8400)
Cluster Addr: (LAN: 8301, WAN: 8302)
==> Log data will now stream in as it occurs:
[INFO] serf: EventMemberJoin: Armons-MacBook-Air.local
[INFO] raft: Node at [Follower] entering Follower state
[INFO] terraform: adding server for datacenter: dc1, addr:
[ERR] agent: failed to sync remote state: rpc error: No cluster leader
[WARN] raft: Heartbeat timeout reached, starting election
[INFO] raft: Node at [Candidate] entering Candidate state
[INFO] raft: Election won. Tally: 1
[INFO] raft: Node at [Leader] entering Leader state
[INFO] terraform: cluster leadership acquired
[INFO] terraform: New leader elected: Armons-MacBook-Air
[INFO] terraform: member 'Armons-MacBook-Air' joined, marking health alive
As you can see, the Terraform agent has started and has output some log
data. From the log data, you can see that our agent is running in server mode,
and has claimed leadership of the cluster. Additionally, the local member has
been marked as a healthy member of the cluster.
<div class="alert alert-block alert-warning">
<strong>Note for OS X Users:</strong> Terraform uses your hostname as the
default node name. If your hostname contains periods, DNS queries to
that node will not work with Terraform. To avoid this, explicitly set
the name of your node with the <code>-node</code> flag.
## Cluster Members
If you run `terraform members` in another terminal, you can see the members of
the Terraform cluster. You should only see one member (yourself). We'll cover
joining clusters in the next section.
$ terraform members
Armons-MacBook-Air alive role=terraform,dc=dc1,vsn=1,vsn_min=1,vsn_max=1,port=8300,bootstrap=1
The output shows our own node, the address it is running on, its
health state, and some metadata associated with the node. Some important
metadata keys to recognize are the `role` and `dc` keys. These tell you
the service name and the datacenter that member is within. These can be
used to lookup nodes and services using the DNS interface, which is covered
The output from the `members` command is generated based on the
[gossip protocol](/docs/internals/gossip.html) and is eventually consistent.
For a strongly consistent view of the world, use the
[HTTP API](/docs/agent/http.html), which forwards the request to the
Terraform servers:
$ curl localhost:8500/v1/catalog/nodes
In addition to the HTTP API, the
[DNS interface](/docs/agent/dns.html) can be used to query the node. Note
that you have to make sure to point your DNS lookups to the Terraform agent's
DNS server, which runs on port 8600 by default. The format of the DNS
entries (such as "Armons-MacBook-Air.node.terraform") will be covered later.
$ dig @ -p 8600 Armons-MacBook-Air.node.terraform
;Armons-MacBook-Air.node.terraform. IN A
Armons-MacBook-Air.node.terraform. 0 IN A
## Stopping the Agent
You can use `Ctrl-C` (the interrupt signal) to gracefully halt the agent.
After interrupting the agent, you should see it leave the cluster gracefully
and shut down.
By gracefully leaving, Terraform notifies other cluster members that the
node _left_. If you had forcibly killed the agent process, other members
of the cluster would have detected that the node _failed_. When a member leaves,
its services and checks are removed from the catalog. When a member fails,
its health is simply marked as critical, but is not removed from the catalog.
Terraform will automatically try to reconnect to _failed_ nodes, which allows it
to recover from certain network conditions, while _left_ nodes are no longer contacted.
Additionally, if an agent is operating as a server, a graceful leave is important
to avoid causing a potential availability outage affecting the [consensus protocol](/docs/internals/consensus.html).
See the [guides section](/docs/guides/index.html) to safely add and remove servers.
Normal file
@ -0,0 +1,94 @@
layout: "intro"
page_title: "Registering Health Checks"
sidebar_current: "gettingstarted-checks"
# Health Checks
We've now seen how simple it is to run Terraform, add nodes and services, and
query those nodes and services. In this section we will continue by adding
health checks to both nodes and services, a critical component of service
discovery that prevents using services that are unhealthy.
This page will build upon the previous page and assumes you have a
two node cluster running.
## Defining Checks
Similarly to a service, a check can be registered either by providing a
[check definition](/docs/agent/checks.html)
, or by making the appropriate calls to the
[HTTP API](/docs/agent/http.html).
We will use the check definition, because just like services, definitions
are the most common way to setup checks.
Create two definition files in the Terraform configuration directory of
the second node.
The first file will add a host-level check, and the second will modify the web
service definition to add a service-level check.
$ echo '{"check": {"name": "ping", "script": "ping -c1 >/dev/null", "interval": "30s"}}' >/etc/terraform.d/ping.json
$ echo '{"service": {"name": "web", "tags": ["rails"], "port": 80,
"check": {"script": "curl localhost:80 >/dev/null 2>&1", "interval": "10s"}}}' >/etc/terraform.d/web.json
The first definition adds a host-level check named "ping". This check runs
on a 30 second interval, invoking `ping -c1`. If the command
exits with a non-zero exit code, then the node will be flagged unhealthy.
The second command modifies the web service and adds a check that uses
curl every 10 seconds to verify that the web server is running.
Restart the second agent, or send a `SIGHUP` to it. We should now see the
following log lines:
==> Starting Terraform agent...
[INFO] agent: Synced service 'web'
[INFO] agent: Synced check 'service:web'
[INFO] agent: Synced check 'ping'
[WARN] Check 'service:web' is now critical
The first few log lines indicate that the agent has synced the new
definitions. The last line indicates that the check we added for
the `web` service is critical. This is because we're not actually running
a web server and the curl test is failing!
## Checking Health Status
Now that we've added some simple checks, we can use the HTTP API to check
them. First, we can look for any failing checks. You can run this curl
on either node:
$ curl http://localhost:8500/v1/health/state/critical
[{"Node":"agent-two","CheckID":"service:web","Name":"Service 'web' check","Status":"critical","Notes":"","ServiceID":"web","ServiceName":"web"}]
We can see that there is only a single check in the `critical` state, which is
our `web` service check.
Additionally, we can attempt to query the web service using DNS. Terraform
will not return any results, since the service is unhealthy:
dig @ -p 8600 web.service.terraform
;web.service.terraform. IN A
This section should have shown that checks can be easily added. Check definitions
can be updated by changing configuration files and sending a `SIGHUP` to the agent.
Alternatively the HTTP API can be used to add, remove and modify checks dynamically.
The API allows for a "dead man's switch" or [TTL based check](/docs/agent/checks.html).
TTL checks can be used to integrate an application more tightly with Terraform, enabling
business logic to be evaluated as part of passing a check.
@ -0,0 +1,66 @@
layout: "intro"
page_title: "Installing Terraform"
sidebar_current: "gettingstarted-install"
# Install Terraform
Terraform must first be installed on every node that will be a member of a
Terraform cluster. To make installation easy, Terraform is distributed as a
[binary package](/downloads.html) for all supported platforms and
architectures. This page will not cover how to compile Terraform from
## Installing Terraform
To install Terraform, find the [appropriate package](/downloads.html) for
your system and download it. Terraform is packaged as a "zip" archive.
After downloading Terraform, unzip the package. Copy the `terraform` binary to
somewhere on the PATH so that it can be executed. On Unix systems,
`~/bin` and `/usr/local/bin` are common installation directories,
depending on if you want to restrict the install to a single user or
expose it to the entire system. On Windows systems, you can put it wherever
you would like.
### OS X
If you are using [homebrew]( as a package manager,
than you can install terraform as simple as:
brew cask install terraform
if you are missing the [cask plugin]( you can install it with:
brew install caskroom/cask/brew-cask
## Verifying the Installation
After installing Terraform, verify the installation worked by opening a new
terminal session and checking that `terraform` is available. By executing
`terraform` you should see help output similar to that below:
$ terraform
usage: terraform [--version] [--help] <command> [<args>]
Available commands are:
agent Runs a Terraform agent
force-leave Forces a member of the cluster to enter the "left" state
info Provides debugging information for operators
join Tell Terraform agent to join cluster
keygen Generates a new encryption key
leave Gracefully leaves the Terraform cluster and shuts down
members Lists the members of a Terraform cluster
monitor Stream logs from a Terraform agent
version Prints the Terraform version
If you get an error that `terraform` could not be found, then your PATH
environment variable was not setup properly. Please go back and ensure
that your PATH variable contains the directory where Terraform was installed.
Otherwise, Terraform is installed and ready to go!
@ -0,0 +1,121 @@
layout: "intro"
page_title: "Terraform Cluster"
sidebar_current: "gettingstarted-join"
# Terraform Cluster
By this point, we've started our first agent and registered and queried
one or more services on that agent. This showed how easy it is to use
Terraform, but didn't show how this could be extended to a scalable production
service discovery infrastructure. On this page, we'll create our first
real cluster with multiple members.
When starting a Terraform agent, it begins without knowledge of any other node, and is
an isolated cluster of one. To learn about other cluster members, the agent must
_join_ an existing cluster. To join an existing cluster, only needs to know
about a _single_ existing member. After it joins, the agent will gossip with this
member and quickly discover the other members in the cluster. A Terraform
agent can join any other agent, it doesn't have to be an agent in server mode.
## Starting the Agents
To simulate a more realistic cluster, we are using a two node cluster in
Vagrant. The Vagrantfile can be found in the demo section of the repo
We start the first agent on our first node and also specify a node name.
The node name must be unique and is how a machine is uniquely identified.
By default it is the hostname of the machine, but we'll manually override it.
We are also providing a bind address. This is the address that Terraform listens on,
and it *must* be accessible by all other nodes in the cluster. The first node
will act as our server in this cluster. We're still not making a cluster
of servers.
$ terraform agent -server -bootstrap -data-dir /tmp/consul \
-node=agent-one -bind=
Then, in another terminal, start the second agent on the new node.
This time, we set the bind address to match the IP of the second node
as specified in the Vagrantfile. In production, you will generally want
to provide a bind address or interface as well.
$ terraform agent -data-dir /tmp/consul -node=agent-two -bind=
At this point, you have two Terraform agents running, one server and one client.
The two Terraform agents still don't know anything about each other, and are each part of their own
clusters (of one member). You can verify this by running `terraform members`
against each agent and noting that only one member is a part of each.
## Joining a Cluster
Now, let's tell the first agent to join the second agent by running
the following command in a new terminal:
$ terraform join
Successfully joined cluster by contacting 1 nodes.
You should see some log output in each of the agent logs. If you read
carefully, you'll see that they received join information. If you
run `terraform members` against each agent, you'll see that both agents now
know about each other:
$ terraform members
agent-one alive role=terraform,dc=dc1,vsn=1,vsn_min=1,vsn_max=1,port=8300,bootstrap=1
agent-two alive role=node,dc=dc1,vsn=1,vsn_min=1,vsn_max=1
<div class="alert alert-block alert-info">
<p><strong>Remember:</strong> To join a cluster, a Terraform agent needs to only
learn about <em>one existing member</em>. After joining the cluster, the
agents gossip with each other to propagate full membership information.
In addition to using `terraform join` you can use the `-join` flag on
`terraform agent` to join a cluster as part of starting up the agent.
## Querying Nodes
Just like querying services, Terraform has an API for querying the
nodes themselves. You can do this via the DNS or HTTP API.
For the DNS API, the structure of the names is `NAME.node.terraform` or
`NAME.DATACENTER.node.terraform`. If the datacenter is omitted, Terraform
will only search the local datacenter.
From "agent-one", query "agent-two":
$ dig @ -p 8600 agent-two.node.terraform
;agent-two.node.terraform. IN A
agent-two.node.terraform. 0 IN A
The ability to look up nodes in addition to services is incredibly
useful for system administration tasks. For example, knowing the address
of the node to SSH into is as easy as making it part of the Terraform cluster
and querying it.
## Leaving a Cluster
To leave the cluster, you can either gracefully quit an agent (using
`Ctrl-C`) or force kill one of the agents. Gracefully leaving allows
the node to transition into the _left_ state, otherwise other nodes
will detect it as having _failed_. The difference is covered
in more detail [here](/intro/getting-started/agent.html#toc_3).
@ -0,0 +1,118 @@
layout: "intro"
page_title: "Key/Value Data"
sidebar_current: "gettingstarted-kv"
# Key/Value Data
In addition to providing service discovery and integrated health checking,
Terraform provides an easy to use Key/Value store. This can be used to hold
dynamic configuration, assist in service coordination, build leader election,
and anything else a developer can think to build. The
[HTTP API](/docs/agent/http.html) fully documents the features of the K/V store.
This page assumes you have at least one Terraform agent already running.
## Simple Usage
To demonstrate how simple it is to get started, we will manipulate a few keys
in the K/V store.
Querying the agent we started in a prior page, we can first verify that
there are no existing keys in the k/v store:
$ curl -v http://localhost:8500/v1/kv/?recurse
* About to connect() to localhost port 8500 (#0)
* Trying connected
> GET /v1/kv/?recurse HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/ libidn/1.23 librtmp/2.3
> Host: localhost:8500
> Accept: */*
< HTTP/1.1 404 Not Found
< X-Terraform-Index: 1
< Date: Fri, 11 Apr 2014 02:10:28 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
* Connection #0 to host localhost left intact
* Closing connection #0
Since there are no keys, we get a 404 response back.
Now, we can put a few example keys:
$ curl -X PUT -d 'test' http://localhost:8500/v1/kv/web/key1
$ curl -X PUT -d 'test' http://localhost:8500/v1/kv/web/key2?flags=42
$ curl -X PUT -d 'test' http://localhost:8500/v1/kv/web/sub/key3
$ curl http://localhost:8500/v1/kv/?recurse
Here we have created 3 keys, each with the value of "test". Note that the
`Value` field returned is base64 encoded to allow non-UTF8
characters. For the "web/key2" key, we set a `flag` value of 42. All keys
support setting a 64bit integer flag value. This is opaque to Terraform but can
be used by clients for any purpose.
After setting the values, we then issued a GET request to retrieve multiple
keys using the `?recurse` parameter.
You can also fetch a single key just as easily:
$ curl http://localhost:8500/v1/kv/web/key1
Deleting keys is simple as well. We can delete a single key by specifying the
full path, or we can recursively delete all keys under a root using "?recurse":
$ curl -X DELETE http://localhost:8500/v1/kv/web/sub?recurse
$ curl http://localhost:8500/v1/kv/web?recurse
A key can be updated by setting a new value by issuing the same PUT request.
Additionally, Terraform provides a Check-And-Set operation, enabling atomic
key updates. This is done by providing the `?cas=` paramter with the last
`ModifyIndex` value from the GET request. For example, suppose we wanted
to update "web/key1":
$ curl -X PUT -d 'newval' http://localhost:8500/v1/kv/web/key1?cas=97
$ curl -X PUT -d 'newval' http://localhost:8500/v1/kv/web/key1?cas=97
In this case, the first CAS update succeeds because the last modify time is 97.
However the second operation fails because the `ModifyIndex` is no longer 97.
We can also make use of the `ModifyIndex` to wait for a key's value to change.
For example, suppose we wanted to wait for key2 to be modified:
$ curl "http://localhost:8500/v1/kv/web/key2?index=101&wait=5s"
By providing "?index=" we are asking to wait until the key has a `ModifyIndex` greater
than 101. However the "?wait=5s" parameter restricts the query to at most 5 seconds,
returning the current, unchanged value. This can be used to efficiently wait for
key modifications. Additionally, this same technique can be used to wait for a list
of keys, waiting only until any of the keys has a newer modification time.
This is only a few example of what the API supports. For full documentation, please
reference the [HTTP API](/docs/agent/http.html).
layout: "intro"
page_title: "Next Steps"
sidebar_current: "gettingstarted-nextsteps"
# Next Steps
That concludes the getting started guide for Terraform. Hopefully you're able to
see that while Terraform is simple to use, it has a powerful set of features.
We've covered the basics for all of these features in this guide.
Terraform is designed to be friendly to both the DevOps community and
application developers, making it perfect for modern, elastic infrastructures.
As a next step, the following resources are available:
* [Documentation](/docs/index.html) - The documentation is an in-depth reference
guide to all the features of Terraform, including technical details about the
internals of how Terraform operates.
* [Guides](/docs/guides/index.html) - This section provides various getting
started guides with Terraform, including how to bootstrap a new datacenter.
* [Examples]( -
The work-in-progress examples folder within the GitHub
repository for Terraform contains functional examples of various use cases
of Terraform to help you get started with exactly what you need.
@ -0,0 +1,139 @@
layout: "intro"
page_title: "Registering Services"
sidebar_current: "gettingstarted-services"
# Registering Services
In the previous page, we ran our first agent, saw the cluster members, and
queried that node. On this page, we'll register our first service and query
that service. We're not yet running a cluster of Terraform agents.
## Defining a Service
A service can be registered either by providing a
[service definition](/docs/agent/services.html),
or by making the appropriate calls to the
[HTTP API](/docs/agent/http.html).
We're going to start by registering a service using a service definition,
since this is the most common way that services are registered. We'll be
building on what we covered in the
[previous page](/intro/getting-started/agent.html).
First, create a directory for Terraform configurations. A good directory
is typically `/etc/terraform.d`. Terraform loads all configuration files in the
configuration directory.
$ sudo mkdir /etc/terraform.d
Next, we'll write a service definition configuration file. We'll
pretend we have a service named "web" running on port 80. Additionally,
we'll give it some tags, which we can use as additional ways to query
it later.
$ echo '{"service": {"name": "web", "tags": ["rails"], "port": 80}}' \
Now, restart the agent we're running, providing the configuration directory:
$ terraform agent -server -bootstrap -data-dir /tmp/consul -config-dir /etc/consul.d
==> Starting Terraform agent...
[INFO] agent: Synced service 'web'
You'll notice in the output that it "synced" the web service. This means
that it loaded the information from the configuration.
If you wanted to register multiple services, you create multiple service
definition files in the Terraform configuration directory.
## Querying Services
Once the agent is started and the service is synced, we can query that
service using either the DNS or HTTP API.
Let's first query it using the DNS API. For the DNS API, the DNS name
for services is `NAME.service.terraform`. All DNS names are always in the
`terraform` namespace. The `service` subdomain on that tells Terraform we're
querying services, and the `NAME` is the name of the service. For the
web service we registered, that would be `web.service.terraform`:
$ dig @ -p 8600 web.service.terraform
;web.service.terraform. IN A
web.service.terraform. 0 IN A
As you can see, an A record was returned with the IP address of the node that
the service is available on. A records can only hold IP addresses. You can
also use the DNS API to retrieve the entire address/port pair using SRV
$ dig @ -p 8600 web.service.terraform SRV
;web.service.terraform. IN SRV
web.service.terraform. 0 IN SRV 1 1 80 agent-one.node.dc1.consul.
agent-one.node.dc1.terraform. 0 IN A
The SRV record returned says that the web service is running on port 80
and exists on the node `agent-one.node.dc1.terraform.`. An additional section
is returned by the DNS with the A record for that node.
Finally, we can also use the DNS API to filter services by tags. The
format for tag-based service queries is `TAG.NAME.service.terraform`. In
the example below, we ask Terraform for all web services with the "rails"
tag. We get a response since we registered our service with that tag.
$ dig @ -p 8600 rails.web.service.terraform
;rails.web.service.terraform. IN A
rails.web.service.terraform. 0 IN A
In addition to the DNS API, the HTTP API can be used to query services:
$ curl http://localhost:8500/v1/catalog/service/web
## Updating Services
Service definitions can be updated by changing configuration files and
sending a `SIGHUP` to the agent. This lets you update services without
any downtime or unavailability to service queries.
Alternatively the HTTP API can be used to add, remove, and modify services
@ -0,0 +1,56 @@
layout: "intro"
page_title: "Web UI"
sidebar_current: "gettingstarted-ui"
# Terraform Web UI
Terraform comes with support for a
[beautiful, functional web UI]( out of the box.
This UI can be used for viewing all services and nodes, viewing all
health checks and their current status, and for reading and setting
key/value data. The UI automatically supports multi-datacenter.
For ease of deployment, the UI is
as static HTML and JavaScript.
You don't need a separate web server to run the web UI. The Terraform
agent itself can be configured to serve the UI.
## Screenshot and Demo
You can view a live demo of the Terraform Web UI
While the live demo is able to access data from all datacenters,
we've also setup demo endpoints in the specific datacenters:
[AMS2]( (Amsterdam),
[SFO1]( (San Francisco),
and [NYC1]( (New York).
A screenshot of one page of the demo is shown below so you can get an
idea of what the web UI is like. Click the screenshot for the full size.
<div class="center">
<a href="/images/terraform_web_ui.png">
<img src="/images/terraform_web_ui.png">
## Set Up
To set up the web UI,
[download the web UI package](/downloads_web_ui.html)
and unzip it to a directory somewhere on the server where the Terraform agent
is also being run. Then, just append the `-ui-dir` to the `terraform agent`
command pointing to the directory where you unzipped the UI (the
directory with the `index.html` file):
$ terraform agent -ui-dir /path/to/ui
The UI is available at the `/ui` path on the same port as the HTTP API.
By default this is `http://localhost:8500/ui`.
@ -0,0 +1,75 @@
layout: "intro"
page_title: "Introduction"
sidebar_current: "what"
# Introduction to Terraform
Welcome to the intro guide to Terraform! This guide is the best place to start
with Terraform. We cover what Terraform is, what problems it can solve, how it compares
to existing software, and a quick start for using Terraform. If you are already familiar
with the basics of Terraform, the [documentation](/docs/index.html) provides more
of a reference for all available features.
## What is Terraform?
Terraform has multiple components, but as a whole, it is a tool for discovering
and configuring services in your infrastructure. It provides several
key features:
* **Service Discovery**: Clients of Terraform can _provide_ a service, such as
`api` or `mysql`, and other clients can use Terraform to _discover_ providers
of a given service. Using either DNS or HTTP, applications can easily find
the services they depend upon.
* **Health Checking**: Terraform clients can provide any number of health checks,
either associated with a given service ("is the webserver returning 200 OK"), or
with the local node ("is memory utilization below 90%"). This information can be
used by an operator to monitor cluster health, and it is used by the service
discovery components to route traffic away from unhealthy hosts.
* **Key/Value Store**: Applications can make use of Terraform's hierarchical key/value
store for any number of purposes including: dynamic configuration, feature flagging,
coordination, leader election, etc. The simple HTTP API makes it easy to use.
* **Multi Datacenter**: Terraform supports multiple datacenters out of the box. This
means users of Terraform do not have to worry about building additional layers of
abstraction to grow to multiple regions.
Terraform is designed to be friendly to both the DevOps community and
application developers, making it perfect for modern, elastic infrastructures.
## Basic Architecture of Terraform
Terraform is a distributed, highly available system. There is an
[in-depth architecture overview](/docs/internals/architecture.html) available,
but this section will cover the basics so you can get an understanding
of how Terraform works. This section will purposely omit details to quickly
provide an overview of the architecture.
Every node that provides services to Terraform runs a _Terraform agent_. Running
an agent is not required for discovering other services or getting/setting
key/value data. The agent is responsible for health checking the services
on the node as well as the node itself.
The agents talk to one or more _Terraform servers_. The Terraform servers are
where data is stored and replicated. The servers themselves elect a leader.
While Terraform can function with one server, 3 to 5 is recommended to avoid
data loss scenarios. A cluster of Terraform servers is recommended for each
Components of your infrastructure that need to discover other services
or nodes can query any of the Terraform servers _or_ any of the Terraform agents.
The agents forward queries to the servers automatically.
Each datacenter runs a cluster of Terraform servers. When a cross-datacenter
service discovery or configuration request is made, the local Terraform servers
forward the request to the remote datacenter and return the result.
## Next Steps
See the page on [how Terraform compares to other software](/intro/vs/index.html)
to see how it fits into your existing infrastructure. Or continue onwards with
the [getting started guide](/intro/getting-started/install.html) to get
Terraform up and running and see how it works.
@ -0,0 +1,42 @@
layout: "intro"
page_title: "Terraform vs. Chef, Puppet, etc."
sidebar_current: "vs-other-chef"
# Terraform vs. Chef, Puppet, etc.
It is not uncommon to find people using Chef, Puppet, and other configuration
management tools to build service discovery mechanisms. This is usually
done by querying global state to construct configuration files on each
node during a periodic convergence run.
Unfortunately, this approach has
a number of pitfalls. The configuration information is static,
and cannot update any more frequently than convergence runs. Generally this
is on the interval of many minutes or hours. Additionally, there is no
mechanism to incorporate the system state in the configuration. Nodes which
are unhealthy may receive traffic exacerbating issues further. Using this
approach also makes supporting multiple datacenters challenging as a central
group of servers must manage all datacenters.
Terraform is designed specifically as a service discovery tool. As such,
it is much more dynamic and responsive to the state of the cluster. Nodes
can register and deregister the services they provide, enabling dependent
applications and services to rapidly discover all providers. By using the
integrated health checking, Terraform can route traffic away from unhealthy
nodes, allowing systems and services to gracefully recover. Static configuration
that may be provided by configuration management tools can be moved into the
dynamic key/value store. This allows application configuration to be updated
without a slow convergence run. Lastly, because each datacenter runs indepedently,
supporting multiple datacenters is no different than a single datacenter.
That said, Terraform is not a replacement for configuration management tools.
These tools are still critical to setup applications and even to
configure Terraform itself. Static provisioning is best managed
by existing tools, while dynamic state and discovery is better managed by
Terraform. The separation of configuration management and cluster management
also has a number of advantageous side effects: Chef recipes and Puppet manifests
become simpler without global state, periodic runs are no longer required for service
or configuration changes, and the infrastructure can become immutable since config management
runs require no global state.
@ -0,0 +1,25 @@
layout: "intro"
page_title: "Terraform vs. Custom Solutions"
sidebar_current: "vs-other-custom"
# Terraform vs. Custom Solutions
As a code base grows, a monolithic app usually evolves into a Service Oriented Architecture (SOA).
A universal pain point for SOA is service discovery and configuration. In many
cases, this leads to organizations building home grown solutions.
It is an undisputed fact that distributed systems are hard; building one is error prone and time consuming.
Most systems cut corners by introducing single points of failure such
as a single Redis or RDBMS to maintain cluster state. These solutions may work in the short term,
but they are rarely fault tolerant or scalable. Besides these limitations,
they require time and resources to build and maintain.
Terraform provides the core set of features needed by a SOA out of the box. By using Terraform,
organizations can leverage open source work to reduce their time and resource commitment to
re-inventing the wheel and focus on their business applications.
Terraform is built on well-cited research, and is designed with the constraints of
distributed systems in mind. At every step, Terraform takes efforts to provide a robust
and scalable solution for organizations of any size.
@ -0,0 +1,16 @@
layout: "intro"
page_title: "Terraform vs. Other Software"
sidebar_current: "vs-other"
# Terraform vs. Other Software
The problems Terraform solves are varied, but each individual feature has been
solved by many different systems. Although there is no single system that provides
all the features of Terraform, there are other options available to solve some of these problems.
In this section, we compare Terraform to some other options. In most cases, Terraform is not
mutually exclusive with any other system.
Use the navigation to the left to read the comparison of Terraform to specific
@ -0,0 +1,49 @@
layout: "intro"
page_title: "Terraform vs. Nagios, Sensu"
sidebar_current: "vs-other-nagios-sensu"
# Terraform vs. Nagios, Sensu
Nagios and Sensu are both tools built for monitoring. They are used
to quickly notify operators when an issue occurs.
Nagios uses a group of central servers that are configured to perform
checks on remote hosts. This design makes it difficult to scale Nagios,
as large fleets quickly reach the limit of vertical scaling, and Nagios
does not easily scale horizontally. Nagios is also notoriously
difficult to use with modern DevOps and configuration management tools,
as local configurations must be updated when remote servers are added
or removed.
Sensu has a much more modern design, relying on local agents to run
checks and pushing results to an AMQP broker. A number of servers
ingest and handle the result of the health checks from the broker. This model
is more scalable than Nagios, as it allows for much more horizontal scaling,
and a weaker coupling between the servers and agents. However, the central broker
has scaling limits, and acts as a single point of failure in the system.
Terraform provides the same health checking abilities as both Nagios and Sensu,
is friendly to modern DevOps, and avoids the scaling issues inherent in the
other systems. Terraform runs all checks locally, like Sensu, avoiding placing
a burden on central servers. The status of checks is maintained by the Terraform
servers, which are fault tolerant and have no single point of failure.
Lastly, Terraform can scale to vastly more checks because it relies on edge triggered
updates. This means that an update is only triggered when a check transitions
from "passing" to "failing" or vice versa.
In a large fleet, the majority of checks are passing, and even the minority
that are failing are persistent. By capturing changes only, Terraform reduces
the amount of networking and compute resources used by the health checks,
allowing the system to be much more scalable.
An astute reader may notice that if a Terraform agent dies, then no edge triggered
updates will occur. From the perspective of other nodes all checks will appear
to be in a steady state. However, Terraform guards against this as well. The
[gossip protocol](/docs/internals/gossip.html) used between clients and servers
integrates a distributed failure detector. This means that if a Terraform agent fails,
the failure will be detected, and thus all checks being run by that node can be
assumed failed. This failure detector distributes the work among the entire cluster,
and critically enables the edge triggered architecture to work.
@ -0,0 +1,46 @@
layout: "intro"
page_title: "Terraform vs. Serf"
sidebar_current: "vs-other-serf"
# Terraform vs. Serf
[Serf]( is a node discovery and orchestration tool and is the only
tool discussed so far that is built on an eventually consistent gossip model,
with no centralized servers. It provides a number of features, including group
membership, failure detection, event broadcasts and a query mechanism. However,
Serf does not provide any high-level features such as service discovery, health
checking or key/value storage. To clarify, the discovery feature of Serf is at a node
level, while Terraform provides a service and node level abstraction.
Terraform is a complete system providing all of those features. In fact, the internal
[gossip protocol](/docs/internals/gossip.html) used within Terraform, is powered by
the Serf library. Terraform leverages the membership and failure detection features,
and builds upon them.
The health checking provided by Serf is very low level, and only indicates if the
agent is alive. Terraform extends this to provide a rich health checking system,
that handles liveness, in addition to arbitrary host and service-level checks.
Health checks are integrated with a central catalog that operators can easily
query to gain insight into the cluster.
The membership provided by Serf is at a node level, while Terraform focuses
on the service level abstraction, with a single node to multiple service model.
This can be simulated in Serf using tags, but it is much more limited, and does
not provide useful query interfaces. Terraform also makes use of a strongly consistent
Catalog, while Serf is only eventually consistent.
In addition to the service level abstraction and improved health checking,
Terraform provides a key/value store and support for multiple datacenters.
Serf can run across the WAN but with degraded performance. Terraform makes use
of [multiple gossip pools](/docs/internals/architecture.html), so that
the performance of Serf over a LAN can be retained while still using it over
a WAN for linking together multiple datacenters.
Terraform is opinionated in its usage, while Serf is a more flexible and
general purpose tool. Terraform uses a CP architecture, favoring consistency over
availability. Serf is a AP system, and sacrifices consistency for availability.
This means Terraform cannot operate if the central servers cannot form a quorum,
while Serf will continue to function under almost all circumstances.
@ -0,0 +1,41 @@
layout: "intro"
page_title: "Terraform vs. SkyDNS"
sidebar_current: "vs-other-skydns"
# Terraform vs. SkyDNS
SkyDNS is a relatively new tool designed to solve service discovery.
It uses multiple central servers that are strongly consistent and
fault tolerant. Nodes register services using an HTTP API, and
queries can be made over HTTP or DNS to perform discovery.
Terraform is very similar, but provides a superset of features. Terraform
also relies on multiple central servers to provide strong consistency
and fault tolerance. Nodes can use an HTTP API or use an agent to
register services, and queries are made over HTTP or DNS.
However, the systems differ in many ways. Terraform provides a much richer
health checking framework, with support for arbitrary checks and
a highly scalable failure detection scheme. SkyDNS relies on naive
heartbeating and TTLs, which have known scalability issues. Additionally,
the heartbeat only provides a limited liveness check, versus the rich
health checks that Terraform is capable of.
Multiple datacenters can be supported by using "regions" in SkyDNS,
however the data is managed and queried from a single cluster. If servers
are split between datacenters the replication protocol will suffer from
very long commit times. If all the SkyDNS servers are in a central datacenter, then
connectivity issues can cause entire datacenters to lose availability.
Additionally, even without a connectivity issue, query performance will
suffer as requests must always be performed in a remote datacenter.
Terraform supports multiple datacenters out of the box, and it purposely
scopes the managed data to be per-datacenter. This means each datacenter
runs an independent cluster of servers. Requests are forwarded to remote
datacenters if necessary. This means requests for services within a datacenter
never go over the WAN, and connectivity issues between datacenters do not
affect availability within a datacenter. Additionally, the unavailability
of one datacenter does not affect the service discovery of services
in any other datacenter.
@ -0,0 +1,57 @@
layout: "intro"
page_title: "Terraform vs. SmartStack"
sidebar_current: "vs-other-smartstack"
# Terraform vs. SmartStack
SmartStack is another tool which tackles the service discovery problem.
It has a rather unique architecture, and has 4 major components: ZooKeeper,
HAProxy, Synapse, and Nerve. The ZooKeeper servers are responsible for storing cluster
state in a consistent and fault tolerant manner. Each node in the SmartStack
cluster then runs both Nerves and Synapses. The Nerve is responsible for running
health checks against a service, and registering with the ZooKeeper servers.
Synapse queries ZooKeeper for service providers and dynamically configures
HAProxy. Finally, clients speak to HAProxy, which does health checking and
load balancing across service providers.
Terraform is a much simpler and more contained system, as it does not rely on any external
components. Terraform uses an integrated [gossip protocol](/docs/internals/gossip.html)
to track all nodes and perform server discovery. This means that server addresses
do not need to be hardcoded and updated fleet wide on changes, unlike SmartStack.
Service registration for both Terraform and Nerves can be done with a configuration file,
but Terraform also supports an API to dynamically change the services and checks that are in use.
For discovery, SmartStack clients must use HAProxy, requiring that Synapse be
configured with all desired endpoints in advance. Terraform clients instead
use the DNS or HTTP APIs without any configuration needed in advance. Terraform
also provides a "tag" abstraction, allowing services to provide metadata such
as versions, primary/secondary designations, or opaque labels that can be used for
filtering. Clients can then request only the service providers which have
matching tags.
The systems also differ in how they manage health checking.
Nerve's performs local health checks in a manner similar to Terraform agents.
However, Terraform maintains separate catalog and health systems, which allow
operators to see which nodes are in each service pool, as well as providing
insight into failing checks. Nerve simply deregisters nodes on failed checks,
providing limited operator insight. Synapse also configures HAProxy to perform
additional health checks. This causes all potential service clients to check for
liveness. With large fleets, this N-to-N style health checking may be prohibitively
Terraform generally provides a much richer health checking system. Terraform supports
Nagios style plugins, enabling a vast catalog of checks to be used. It also
allows for service and host-level checks. There is also a "dead man's switch"
check that allows applications to easily integrate custom health checks. All of this
is also integrated into a Health and Catalog system with APIs enabling operator
to gain insight into the broader system.
In addition to the service discovery and health checking, Terraform also provides
an integrated key/value store for configuration and multi-datacenter support.
While it may be possible to configure SmartStack for multiple datacenters,
the central ZooKeeper cluster would be a serious impediment to a fault tolerant
@ -0,0 +1,61 @@
layout: "intro"
page_title: "Terraform vs. ZooKeeper, doozerd, etcd"
sidebar_current: "vs-other-zk"
# Terraform vs. ZooKeeper, doozerd, etcd
ZooKeeper, doozerd and etcd are all similar in their architecture.
All three have server nodes that require a quorum of nodes to operate (usually a simple majority).
They are strongly consistent, and expose various primitives that can be used
through client libraries within applications to build complex distributed systems.
Terraform works in a similar way within a single datacenter with only server nodes.
In each datacenter, Terraform servers require a quorum to operate
and provide strong consistency. However, Terraform has native support for multiple datacenters,
as well as a more complex gossip system that links server nodes and clients.
If any of these systems are used for pure key/value storage, then they all
roughly provide the same semantics. Reads are strongly consistent, and availability
is sacrificed for consistency in the face of a network partition. However, the differences
become more apparent when these systems are used for advanced cases.
The semantics provided by these systems are attractive for building
service discovery systems. ZooKeeper et al. provide only a primitive K/V store,
and require that application developers build their own system to provide service
discovery. Terraform provides an opinionated framework for service discovery, and
eliminates the guess work and development effort. Clients simply register services
and then perform discovery using a DNS or HTTP interface. Other systems
require a home-rolled solution.
A compelling service discovery framework must incorporate health checking and the
possibility of failures as well. It is not useful to know that Node A
provides the Foo service if that node has failed or the service crashed. Naive systems
make use of heartbeating, using periodic updates and TTLs. These schemes require work linear
to the number of nodes and place the demand on a fixed number of servers. Additionally, the
failure detection window is at least as long as the TTL. ZooKeeper provides ephemeral
nodes which are K/V entries that are removed when a client disconnects. These are more
sophisticated than a heartbeat system, but also have inherent scalability issues and add
client side complexity. All clients must maintain active connections to the ZooKeeper servers,
and perform keep-alives. Additionally, this requires "thick clients", which are difficult
to write and often result in difficult to debug issues.
Terraform uses a very different architecture for health checking. Instead of only
having server nodes, Terraform clients run on every node in the cluster.
These clients are part of a [gossip pool](/docs/internals/gossip.html), which
serves several functions including distributed health checking. The gossip protocol implements
an efficient failure detector that can scale to clusters of any size without concentrating
the work on any select group of servers. The clients also enable a much richer set of health checks to be run locally,
whereas ZooKeeper ephemeral nodes are a very primitive check of liveness. Clients can check that
a web server is returning 200 status codes, that memory utilization is not critical, there is sufficient
disk space, etc. The Terraform clients expose a simple HTTP interface and avoid exposing the complexity
of the system is to clients in the same way as ZooKeeper.
Terraform provides first class support for service discovery, health checking,
K/V storage, and multiple datacenters. To support anything more than simple K/V storage,
all these other systems require additional tools and libraries to be built on
top. By using client nodes, Terraform provides a simple API that only requires thin clients.
Additionally, the API can be avoided entirely by using configuration files and the
DNS interface to have a complete service discovery solution with no development at all.
@ -0,0 +1,20 @@
