Securing AWS Infrastructure Deployment with Terraform and IAM Guidelines (part 3/3)
Safely Managing Terraform State in Production with Terraform Cloud
In a previous section, you created, modified, and terminated your cloud resources from your local machine, storing the .tfstate
file locally. In a production environment, securing and encrypting your .tfstate
file is vital, as is maintaining accessibility for team collaboration. The suggested method for ensuring traceability and transparency is to use Terraform in a remote environment (Terraform Cloud). This utilizes the Version Control Workflow
and provides shared access to the .tfstate
file.
I will create a new Github repository, push my local Terraform code into it, and integrate it with Terraform Cloud. This will trigger Terraform Cloud each time there is a pull request on the main
branch. To integrate the Github workflow with Terraform Cloud, simply follow the steps below.
Objective
- Demonstrate how to safely execute Terraform using Terraform Cloud with Version Control Workflow.
Agenda
- Create HashiCorp account.
- Access to Terraform Cloud.
- Setup Terraform Cloud.
- Set workspace variables.
- Create Pull Request on main branch.
- Review Your State File.
- Destroy.
Create HashiCorp account
Terraform is a one of product of HashiCorp, so in order to use Terraform cloud you need to create HashiCorp account first. You can create the account by following this link :
Access to Terraform Cloud
After created HashiCorp account, you can access to Terraform Cloud by following this link:
Setup Terraform Cloud
- Create Organization.
- Create Workspace by click New button.
- Select Version Control Workflow.
- Select Github(Custom). Then, follow the instructions.
- Choose repository.
- After creating the workspace, navigate to Settings/Version Control to configure your Terraform Cloud. This configuration will trigger actions whenever there is a pull request on the
main
branch in the GitHub repository. This enhances traceability and transparency in your team collaboration. - Terraform Working Directory : /src .
- VCS Triggers: Check Always trigger runs.
- VCS branch: main. (Terraform cloud will run execute commands in this directory on VCS.)
- Pull Requests: Check Automatic speculative plans.
Note: Speculative plans in Terraform Cloud show potential infrastructure changes for pull request merges via private links.
- Click Update VCS settings.
- To set your working directory for Terraform Cloud workspace, navigate to Settings/General. (Terraform cloud will execute commands in this directory.)
- Terraform Working Directory: Enter /src.
- Click Save settings .
Set workspace variables
For best security practices, I recommend configuring credential data (e.g., AMI, access key) in workspace variables instead of hardcoding them.
- Navigate to the workspace overview.
- Click Configure variables.
I will configure the following values into my workspace’s variables:
- INSTANCE_NAME
- INSTANCE_AMI
- INSTANCE_TYPE
- AWS_ACCESS_KEY_ID (use your AWS account access key id)
- AWS_SECRET_ACCESS_KEY (use your AWS account secret access key)
- AWS_SESSION_TOKEN (use your AWS session token)
- Click Add variable.
- example
- Finally, you should have these variables configured.
Create Pull Request on main branch
- Defining Variables to Reference Terraform Cloud’s Variables in the Main Module (
main.tf
) throughvariables.tf
.
Leave the
Default
Statement as an Empty String. When Executing on Terraform Cloud, it Will Retrieve the Defined Variables from Cloud Workspace’s Variables.
- Remove exporting sensitive value on
output.tf
.
- Create a new branch and commit your change to remote repository
- Create PR on to main branch
- After you push you committed change to a new branch on remote repository
- Click Compare & pull request.
- Make sure that you are open a pull request on main branch.
- Then click Create pull request.
- You can review your modified code to see if it will work or not. The Terraform Cloud configured in your workspace will provide feedback.
- When your committed changes are considered acceptable, your senior or teammate will merge them into the main branch by clicking the Merge pull request button.
- After merging the pull request, your workspace will automatically execute your task (but manually confirmation is required).
- Review your plan.
- If you’re sure to add these resources, then click Confirm & apply.
Review Your State File
Sometimes you need to review your state file, you can do this by.
- Go to States.
- You will see the state history.
- You can view each by click You Terraform running name, in this case is Triggered via UI.
Destroy
Whenever you don’t need to use your resources on the cloud, you should destroy it to avoid being charged from unused resources. ✅
- Navigate to Settings.
- Go to Destruction and Deletion.
- Click Queue destroy plan.
- Enter your workspace name, then click Queue destroy plan.
- It will summarize which resource will be destroyed.
- Click Confirm & apply to destroy resources.
Thank you for reading! Your feedback is valuable to me. Please feel free to leave comments, I appreciate any suggestions for improving my blog.