Securing AWS Infrastructure Deployment with Terraform and IAM Guidelines (part 3/3)

Safely Managing Terraform State in Production with Terraform Cloud

Photo by Y Y on Unsplash

In a previous section, you created, modified, and terminated your cloud resources from your local machine, storing the .tfstate file locally. In a production environment, securing and encrypting your .tfstate file is vital, as is maintaining accessibility for team collaboration. The suggested method for ensuring traceability and transparency is to use Terraform in a remote environment (Terraform Cloud). This utilizes the Version Control Workflow and provides shared access to the .tfstate file.

I will create a new Github repository, push my local Terraform code into it, and integrate it with Terraform Cloud. This will trigger Terraform Cloud each time there is a pull request on the main branch. To integrate the Github workflow with Terraform Cloud, simply follow the steps below.

Objective

• Demonstrate how to safely execute Terraform using Terraform Cloud with Version Control Workflow.

Agenda

• Create HashiCorp account.
• Access to Terraform Cloud.
• Setup Terraform Cloud.
• Set workspace variables.
• Create Pull Request on main branch.
• Review Your State File.
• Destroy.

Create HashiCorp account

Terraform is a one of product of HashiCorp, so in order to use Terraform cloud you need to create HashiCorp account first. You can create the account by following this link :

HashiCorp Developer

Access to Terraform Cloud

After created HashiCorp account, you can access to Terraform Cloud by following this link:

Terraform Cloud

Setup Terraform Cloud

• Create Organization.
• Create Workspace by click New button.

Terraform Cloud Workspaces Dashboard

• Select Version Control Workflow.

Workflow Selection

• Select Github(Custom). Then, follow the instructions.

VCS Provider Selection Page

• Choose repository.

Select Repository

• After creating the workspace, navigate to Settings/Version Control to configure your Terraform Cloud. This configuration will trigger actions whenever there is a pull request on the main branch in the GitHub repository. This enhances traceability and transparency in your team collaboration.
• Terraform Working Directory : /src .

Configure Default Working Directory

• VCS Triggers: Check Always trigger runs.
• VCS branch: main. (Terraform cloud will run execute commands in this directory on VCS.)
• Pull Requests: Check Automatic speculative plans.

Note: Speculative plans in Terraform Cloud show potential infrastructure changes for pull request merges via private links.

• Click Update VCS settings.

Configure VCS Triggers

• To set your working directory for Terraform Cloud workspace, navigate to Settings/General. (Terraform cloud will execute commands in this directory.)
• Terraform Working Directory: Enter /src.

Configure Terraform Workspace Working Directory.

• Click Save settings .

Set workspace variables

For best security practices, I recommend configuring credential data (e.g., AMI, access key) in workspace variables instead of hardcoding them.

• Navigate to the workspace overview.
• Click Configure variables.

Configure workspace environment variables.

I will configure the following values into my workspace’s variables:

• INSTANCE_NAME
• INSTANCE_AMI
• INSTANCE_TYPE
• AWS_ACCESS_KEY_ID (use your AWS account access key id)
• AWS_SECRET_ACCESS_KEY (use your AWS account secret access key)
• AWS_SESSION_TOKEN (use your AWS session token)

AWS Credentials on AWS IAM Identity Center

• Click Add variable.

Configure workspace environment variables.

• example

Example when configure workspace variables

• Finally, you should have these variables configured.

Workspace Variables on This Project

Create Pull Request on main branch

• Defining Variables to Reference Terraform Cloud’s Variables in the Main Module (main.tf) through variables.tf.

Define Variables on Your Terraform Code

Leave the Default Statement as an Empty String. When Executing on Terraform Cloud, it Will Retrieve the Defined Variables from Cloud Workspace’s Variables.

• Remove exporting sensitive value on output.tf .

output.tf

• Create a new branch and commit your change to remote repository
• Create PR on to main branch
• After you push you committed change to a new branch on remote repository
• Click Compare & pull request.

Create pull request

• Make sure that you are open a pull request on main branch.
• Then click Create pull request.

Review your pull request’s destination.

• You can review your modified code to see if it will work or not. The Terraform Cloud configured in your workspace will provide feedback.
• When your committed changes are considered acceptable, your senior or teammate will merge them into the main branch by clicking the Merge pull request button.

Terraform will be triggered.

• After merging the pull request, your workspace will automatically execute your task (but manually confirmation is required).
• Review your plan.
• If you’re sure to add these resources, then click Confirm & apply.

Review your plan.

Manually confirm execution.

Review Your State File

Sometimes you need to review your state file, you can do this by.

• Go to States.
• You will see the state history.
• You can view each by click You Terraform running name, in this case is Triggered via UI.

Review state.

Destroy

Whenever you don’t need to use your resources on the cloud, you should destroy it to avoid being charged from unused resources. ✅

• Navigate to Settings.
• Go to Destruction and Deletion.
• Click Queue destroy plan.

• Enter your workspace name, then click Queue destroy plan.

• It will summarize which resource will be destroyed.

• Click Confirm & apply to destroy resources.

Thank you for reading! Your feedback is valuable to me. Please feel free to leave comments, I appreciate any suggestions for improving my blog.