Continuous Infrastructure Deployment with Terraform Cloud
Stackshare recently published a story showing that around 1400 companies advertise using Terraform as part of their tech stack. Of course, the number is far higher in reality.
Once you start using Terraform at scale, you'll start encountering complexities with maintaining consistency. In addition, the more team members you have, the more you'll need solutions like remote state or workspaces.
Terraform Cloud takes care of all that. So keep reading for a brief look at some of the more impressive features that will save your workflow.
Terraform vs Terraform Cloud
So, what's the difference between Terraform and Terraform Cloud? Well, very simply, Hashicorp provided a managed solution for enterprises wanting to cut down on extra tooling and documentation.
Terraform cloud incorporates remote state storage, workspaces, workflows, and integrated version control to make collaboration easier. Using cloud automation, Terraform cloud gives you a stable, consistent environment to run your code in.
Most of the IT industry has adopted infrastructure as code at this point, enabled by Terraform. The cloud offering just gives this a place to live and makes it repeatable and available to your whole team
Workspaces
A workspace is a simple enough concept. It's just a collection of infrastructure. Your organization will probably need to manage quite a few collections like this.
Regular Terraform uses directories to separate collections. Terraform cloud uses workspaces in the same way, logically separating content and code. A workspace functions exactly the same as a separate working directory.
Some key differences between Terraform and the cloud offering include the way they store data. A brief list includes:
Configuration
Terraform Cloud stores your terraform configuration in a repository that you've linked. Alternatively, you may upload it periodically using an API or CLI.
Variables
Locally, you'll be used to storing your variable values in a .tfvars file. These will now be stored in the workspace itself.
State
Depending on your setup, you are likely storing state either locally on each machine or on remote storage. Terraform Cloud stores all state in the workspace.
Credentials and Secrets
These are normally stored either in your local env or are interactively entered. Terraform Cloud again stores these in the workspace but as "sensitive variables."
VCS vs. CLI Workspaces
Something you'll come across when creating workspaces is the choice of which kind of workspace you'd like to create. Though you can always create a new workspace, it's easier to get things right the first time.
VCS Workspace
One of the big advantages of Terraform Cloud is the ability to automatically integrate your source control. Setting up a VCS workspace will create a workflow that validates each pull request.
Terraform cloud will automatically clone the repository, plan, and show a success or failure status. The VCS workspace really shines when it comes to automation.
Terraform Cloud is tightly integrated with the VCS Workspaces and initiates an apply automatically on merge. This does mean, however, that you won't be able to apply your changes from the command line.
Recommended by LinkedIn
CLI Workspace
If your experience is mainly with the traditional CLI Terraform command, you may find CLI Workspaces more comfortable. You'll find you have more control using the command line, but there are some tradeoffs.
The setup of a CLI workspace is a little harder to manage and you'll need to authenticate to TF Cloud before you can perform any actions. Of course, most good CI tools have actions built-in so this shouldn't be too much of a problem.
Into the Thick of It
Now that we've looked at some of the basics of Terraform Cloud, let's delve into some details. In this example, we'll look at how to set up a basic CI pipeline with TF Cloud as well as a nice, repeatable workflow.
Workspace Automation
One of the truly excellent features of TF cloud is its built-in support for Terraform itself. That means that you can interact directly with the console using your normal TF syntax.
Take, for example, creating workspaces. We could do this manually through the console, but it's far more DevOps friendly to do it automatically.
resource "tfe_workspace" "terraform-demo" {
name = "terraform-demo workspace"
organization = tfe_organization.demo-org.id
agent_pool_id = tfe_organization.demo-agent-pool.id
execution_mode = "remote"
file_triggers_enabled = true
trigger_prefixes = [ "demo1", "demo2"]
}
It's a deceptively simple piece of code, but let's take a look at what it's actually doing. We're using Terraform code to interact with Terraform Cloud and create a workspace, complete with build triggers and agent_pool setup.
From an automation perspective, there are obviously many great opportunities here. You could flesh this out with some simple for_each loops, bring in different variables and ssh_keys on a case-by-case basis, and much more.
At this point, it would also be a good idea to look at the possibilities offered by Terraform Cloud's API offering. There's a robust interface here that can be powerful.
Dealing With Secrets
Any discussion of Terraform would be incomplete without talking about secrets. Simultaneously, one of the most useful features, secrets inevitably end up being a nightmare for developers.
Here is where we turn again to the strong integration with Terraform. Security concerns dictate that we don't store secrets in state files. So, let's pull them in, shall we?
data "my_secret_provider" "secret_parameters"
for_each = local.map_to_secrets
name = each.value.value
with_decryption = each.value.with_decryption
}
resource "tfe_variable" "scary_secrets" {
count = length(local.all_my_variables)
key = local.all_my_variables[count.index].key
value =local.all_my_variables[count.index].value
category = "terraform"
workspace_id = local.workspace_id
description =local.all_my_variables[count.index].description
sensitive = local.all_my_variables[count.index].sensitive
}
{
As you can see, we're able to fetch secrets from an external provider. We're also taking advantage of some iteration to create TF Cloud variables directly in code and apply them to a workspace.
Adopting Terraform Cloud
Whether we're using a VCS or CLI workspace, we're able to run this code in pretty quickly and get a working build within minutes. Terraform Cloud makes it simple to create a functioning CI system with very little effort.
The best way for you to experience the TF Cloud offering is to go through the tutorials . These will give you a good feeling for the advantages of cloud-based terraform.
There are simply too many functions to explore in the scope of one article. If you'd like to read more about Terraform Cloud, check out the extensive documentation .