Also available on my blog here.

Introduction

In my last post, I covered how I set up VSCode for Terraform. The second most popular question is how I set up my workstation for Terraform development.

As with most things in the tech world, there are many ways to do things. The following is the way that works for me. I am always looking for ways to improve my workflow, so if you have suggestions, please let me know.

Additionally, I am a Mac user, so some of the tools I use are harder to use on Windows. However, the tools can be used in WSL or DevContainers if you use either of those tools.

On a Mac, I use Homebrew to install my tools. Also, Since we have to store all our code in a version control system, I installed the latest version of git with Homebrew.

# Install Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Git
brew install git

Installing Terraform

I have to use multiple versions of Terraform for different projects, so I use TFSwitch to switch the version of Terraform installed based on the directory I am in and the version constraint in my Terraform configuration.

brew install warrensbox/tap/tfswitch

I have configured tfswitch to link the correct version of Terraform to~/bin/terraform as the ~/bin directory is in my $PATH. This is done by creating a~/.tfswitch.toml file with the following contents:

bin="~/bin/terraform"

I use the following zsh function to load tfswitch in a directory with Terraform configuration files.

load-tfswitch() {
  local tfswitchrc_path="${HOME}/.tfswitch.toml"

  # if [[ -f "$tfswitchrc_path" ]] && [[ -f "terraform.tf" ]]; then
  if [[ -f "$tfswitchrc_path" ]]; then
    if [[ $(ls -l *.tf | wc -l ) -gt 0 ]] 2> /dev/null; then
      tfswitch
    fi
  fi
}

add-zsh-hook chpwd load-tfswitch
load-tfswitch

Now, if you don't need to support multiple versions of Terraform, you can install it with Homebrew from HashiCorp's tap.

  brew install hashicorp/tap/terraform

Otherwise, you can download it directly from the Terraform Install page.

Git Tools

Storing your Terraform configuration in a version control system is a must. I don't do development daily, so I forget to format my code and check for secrets or other vulnerabilities. One of the worst is that I forgot to update the README.md with any variable or output changes. The most annoying thing is that I forgot to create a new branch for my changes, as most of the git repos I work in have the default branch protected, so I can't push directly to it.

To help me with all of these problems, I use Git Hooks, specifically the pre-commit hook to check for all of these things before I commit my changes. If you are unfamiliar with Git Hooks, they are scripts that run automatically when specific actions occur in a Git repository. You can use these scripts to enforce coding standards, check for vulnerabilities, or even run tests before you commit your changes.

Traditionally, you would have to write these scripts yourself, but there is a tool called pre-commit that makes it easy to install and manage these hooks.

brew install pre-commit

Once you have pre-commit installed, you can create a .pre-commit-config.yaml file in the root of your repository with the following contents:

# yaml-language-server: $schema=https://json.schemastore.org/pre-commit-config.json

repos:
  - repo: local
    hooks:
      - id: trufflehog
        name: TruffleHog
        description: Detect secrets in your data.
        entry: trufflehog git file://. --since-commit HEAD --fail
        language: golang
        pass_filenames: false
        stages: ["pre-commit", "pre-push"]
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: check-merge-conflict
      - id: end-of-file-fixer
      - id: no-commit-to-branch
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.97.0
    hooks:
      - id: terraform_fmt
      - id: terraform_validate
        args:
          - --hook-config=--retry-once-with-cleanup=true
      - id: terraform_docs
        args:
          - --args=--lockfile=false
      - id: terraform_tflint
        args:
          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
      - id: terraform_checkov
      - id: infracost_breakdown
        args:
          - --args=--path=.
          - --args=--terraform-var-file="terraform.tfvars"
        # verbose: true

Every time you commit your changes, the pre-commit tool runs and checks each hook you have defined. If any hook fails, the commit will abort, and you must fix the issues before committing your changes.

We haven't covered all of the hooks in the .pre-commit-config.yaml file, but I'll list the ones I use here:

• trufflehog: Scans your git repo for committed secrets 😱.
• check-merge-conflict: Checks for files that contain merge conflict strings.
• end-of-file-fixer: Ensures that files end with a newline.
• no-commit-to-branch: Prevents commits directly to a branch (default branch in our case).
• terraform_fmt: Formats your Terraform code.
• terraform_validate: Validates your Terraform code.
• terraform_docs: Dynamically updates your README.md with information on your module's inputs, outputs, and requirements.
• terraform_tflint: A Terraform linter that checks for best practices and errors in your Terraform code.
• terraform_checkov: A tool that checks your Terraform code for security vulnerabilities.
• infracost_breakdown: Gives you a cost estimate for the cloud resources your module would deploy.

Tools needed for the Pre-commit hooks that I use

You will need to install a few of these tools to use all of the pre-commit hooks that I have listed above.

Trufflehog scans your git repo for secrets 😱. Doing this as a pre-commit hook lets you catch secrets before committing them. This way, they don't end up in your git history, keeping your security team happy.

brew install trufflesecurity/trufflehog/trufflehog

Terraform-docs dynamically updates your README.md with information on your module's inputs, outputs, and requirements.

brew install terraform-docs

In your README.md file, you can add the following comments to have terraform-docs update the file.

<!-- BEGIN_TF_DOCS -->
<!-- END_TF_DOCS -->

Infracost provides a cost estimate for the cloud resources on which your configuration will be deployed.

brew install infracost

Jq is a lightweight and flexible command-line JSON processor. required for terraform_validate with--retry-once-with-cleanup flag, and for infracost_breakdown hook.

brew install jq

TFLint is a Terraform linter that checks for best practices and errors in your Terraform code.

brew install tflint

Checkov is a static code analysis tool for infrastructure as code (IaC).

brew install checkov

Convenience Tools

With Terraform installed via tfswitch and the pre-commit hooks setup, I have a solid foundation for my Terraform development workflow. But I use a few more tools to make my life easier.

First, I use 1Password to store my secrets, API keys, and passwords. I also use the 1Password CLI to access my secrets via environment variables and shell scripts.

brew install 1password 1password-cli

With 1Password and the 1Password CLI installed, I can access my secrets via the op command.

export TFE_TOKEN=$(op read --cache "op://Vault/Item/Key")

This allows me to easily set environment variables for my secrets in my shell. However, I need to remember to unset these variables when I'm done with them. To help with this, I use Direnv to set and unset variables based on my directory.

brew install direnv

I use the following .envrc file in the root of my Terraform configuration to set my secrets.

# Exports
export TFE_TOKEN=$(op read --cache "op://Vault/Item/Key")

# Terraform Variable exports
export TF_VAR_okta_token=$(op read --cache "op://Vault/Item/Section/Key")
export TF_VAR_okta_client_id=$(op read --cache "op://Vault/Item/Section/Key")
export TF_VAR_okta_client_secret=$(op read --cache "op://Vault/Item/Section/Key")

The above example exports the TFE_TOKEN and a few Terraform variables. When I change into or out of the directory with the.envrc file, direnv will set and unset these variables for me.

With so many tools in use, remembering all the commands to run can be a pain. Yes, I could create aliases for them, but I like to keep my shell clean. So, I use Task to create a Taskfile.yml with all the commands I use.

# yaml-language-server: $schema=https://taskfile.dev/schema.json
# https://taskfile.dev

version: "3"

dotenv: [".envrc"]

vars:
  CURRENT_DATE:
    sh: date +"%Y-%m-%dT%H:%M:%S%Z"

tasks:
  default:
    cmds:
      - task: pre

  hog:
    cmds:
      - trufflehog git file://. --since-commit HEAD --only-verified --fail

  pre:
    cmds:
      - pre-commit autoupdate
      - pre-commit run -a

  push:
    cmds:
      - git add .
      - git commit -m "{{.CURRENT_DATE}}"
      - git push
    silent: true

  tag:
    cmds:
      - git push
      - git tag -s {{.CLI_ARGS}} -m "{{.CLI_ARGS}}"
      - git push --tags

Now I can run task hog to scan my git repo for secrets, task pre to run all of my pre-commit hooks, task push to commit my changes and push them to the remote, and task tag -- v1.0.0 to tag my release.

Conclusion

This is how I set up my workstation for Terraform development. I hope you found it helpful. If you have any suggestions or tools that you use, please let me know. I am always looking for ways to improve my workflow.

Originally published at https://www.404-code-not-found.com on January 31, 2025.

Available on my blog here

Introduction

One of the first questions I get when teaching Terraform is, “What editor should I use?” My answer is always, “Use what you are comfortable with. If you don’t have a preference, I recommend Visual Studio Code.” Over the years, I have used everything from vi to Notepad++ to Sublime Text to Atom to Visual Studio Code. I have found that Visual Studio Code is easy to pick up for new users and easy to customize to your liking.

I am not a developer by trade; I’m more of a hack-it-together kind of person. I copy a lot of code from the internet or use GenAI and modify it to fit my needs. So, I don’t work in an IDE every day. I need something easy to use and easy to customize.

TL;DR

For those of you like me who want the quick and dirty, here are the steps to set up your VS Code for Terraform development:

1. Install Visual Studio Code — Download
2. Create a profile for Terraform — See next section
3. Clone my Terraform template repository — Terraform Template
4. Open the repository in VS Code — This will prompt you to install the recommended extensions and import the settings.
5. Go forth and Terraform!

Visual Studio Code Profiles

One of the reasons I like Visual Studio Code is that it supports profiles. I can create a profile for each type of work I do. I have profiles for Terraform, Python, Ansible, and Markdown. Each profile has its settings, extensions, and keybindings. By using profiles, I can tailor the editor to the work I am doing.

Creating a Profile

To create a profile, click on the gear icon in the lower-left corner of the VS Code window. This will open the Settings window. In the Settings window, click on the Profiles option.

The Profiles tab allows you to view your current profiles and create new ones. To create a new profile, click the `New Profile` button.

This will create a new Untitled profile.

You can now name your profile by editing the name field. You also have the option to copy the settings from an existing profile. This is useful for creating a new profile similar to an existing one or importing your default settings.

VS Code Extensions for Terraform

I will admit that I am a bit of an extension junkie. I have a lot of extensions, but some don’t play well together, so I use profiles to help limit the number of extensions I have enabled at any one time.

I use four extensions for Terraform development in Visual Studio Code:

- HashiCorp Terraform

- HashiCorp HCL

- HashiCorp Sentinel

- Multiple cursor case preserver

You’re probably looking at the list and wondering, “Why do you need a case preserver?” How many times have you decided to change the name of a variable and then had to go back and change the case of the variable in multiple places? This extension will preserve the case of the variable when you change it. It’s a small thing, but it saves me a lot of time.

VS Code Settings for Terraform

I like to use a few settings when working with Terraform. Most of these can be set in the VS Code UI, but they can also be shared in a JSON file within the.vscode. directory of your working directory.

Here are my Terraform specific VS Code settings:

{
  "[sentinel]": {
    "editor.defaultFormatter": "hashicorp.terraform"
  },
  "[terraform]": {
    "editor.defaultFormatter": "hashicorp.terraform"
  },
  "[tfvars]": {
    "editor.defaultFormatter": "hashicorp.terraform"
  },
  "editor.bracketPairColorization.enabled": true,
  "editor.formatOnPaste": true,
  "editor.formatOnSave": true,
  "editor.formatOnType": true,
  "editor.guides.bracketPairs": "active",
  "editor.inlineSuggest.enabled": true,
  "editor.linkedEditing": true,
  "editor.multiCursorModifier": "alt",
  "editor.renderControlCharacters": true,
  "editor.renderWhitespace": "all",
  "editor.rulers": [
    {
      "color": "#A5FF90",
      "column": 80
    },
    {
      "color": "#FF628C",
      "column": 100
    }
  ],
  "editor.stickyScroll.enabled": true,
  "editor.suggestSelection": "first",
  "editor.tabCompletion": "on",
  "editor.tabSize": 2,
  "files.associations": {
    "*.policy": "sentinel",
    "*.sh.tmpl": "shellscript"
  },
  "files.trimTrailingWhitespace": true,
  "terraform.languageServer.enable": true
}

Not all of these settings are needed, but they are the ones I like to use. You can adjust them to fit your needs.

• editor.defaultFormatter - This sets the default formatter for the editor. I like to use the HashiCorp Terraform formatter for all of my Terraform,tfvars, and Sentinel policy files.
• editor.bracketPairColorization.enabled - This will colorize the brackets in your code to make it easier to see where they start and end.
• editor.formatOnPaste, editor.formatOnSave, editor.formatOnType - These settings will format your code when you paste it, save the file, or type in the editor.
• editor.guides.bracketPairs - This will highlight the bracket pair that you are currently working within.
• editor.inlineSuggest.enabled - This will enable inline suggestions in the editor.
• editor.linkedEditing - This will link the editing of a variable name to all instances of that variable in the file.
• editor.multiCursorModifier - This sets the keybinding for creating multiple cursors.
• editor.renderControlCharacters - This will render control characters in the editor.
• editor.renderWhitespace - This will render whitespace in the editor.
• editor.rulers - This will add rulers to the editor at the specified columns. I don't like to have lines that are too long, so I set my rulers at 80 and 100 columns.
• editor.stickyScroll.enabled - This will enable sticky scrolling so that the block header stays at the top of the editor as you scroll through the code section.
• editor.suggestSelection - This sets the default suggestion selection to the first suggestion.
• editor.tabCompletion - This will enable tab completion in the editor.
• editor.tabSize - This sets the tab size to 2 spaces.
• files.associations - This will associate the specified file extensions with the specified language. I also work with many shell script templates that Terraform processes, so I associate the.sh.tmpl files with the shellscript language.
• files.trimTrailingWhitespace - This will trim trailing whitespace from the end of lines.
• terraform.indexing - This will set the indexing options for the Terraform configs we are working with.
• terraform.languageServer.enable - This will enable the Terraform language server.

Conclusion

This helps you get started with Terraform development in Visual Studio.

Updates

2025–01–25

I removed settings for an older Terraform extension I used before the official HashiCorp extension was released. Also, I removed file associations that used the Terraform extension to format Sentinel policy files and generic HCL files. I now use the HashiCorp Sentinel extension for Sentinel policy files and the HashiCorp HCL extension for generic HCL files.

Originally published at https://www.404-code-not-found.com on October 10, 2024.