Terraform is one of the most used Infrastructure as Code products today; people can use it to deploy Virtual Machines, Container deployments, Functions, and Network and Storage constructs across all the major cloud providers, AWS, Azure, GCP and OCI. VMware-based clouds build on Cloud Director, traditional On-Premises Infrastructure, running on VMware ESXi, and Nutanix; Terraform can even be used to instantiate bare-metal servers when coupled with a lifecycle management tool like RackN Digital Rebar. As an infrastructure provisioning tooling, it can and does deliver vast value.
However, there is one area that the open-source version fails at, and that is enterprise scaling. It is true that hocus-pocus, rune casting and magic can be used to scale out and stabilise large-scale Infrastructure as code deployments using the open-source product, but this is just duct tape and brown paper. The Terraform concepts of Workspaces and layers can be used to split down a monolith state file into smaller consumable parts. By creating layers or using Workspace, you can make smaller blast zones, speed up plans and applies, and allow greater work throughput by allowing multiple runs against a platform without State file locking issues etc. However, there is a downside to open-source Workspaces and the State file Layering approach; as it scales, it becomes difficult to keep track of what is where and who owns what. Also, without a lot of planning, it becomes difficult to ascertain which layer is higher or lower down the stack when changes to Infrastructure are required.
This is where Terraform Cloud from HashiCorp enters from the side-lines to save the day.
What is Terraform Cloud?
Terraform Cloud (TFC) is a hosted and managed solution offered by Hashicorp; at its most basic, it appears to be a remote state store, but it is much more potent than that. TFC provides some powerful tooling, it gives structure to the layout of Workspaces, shared variable sets, tags to attach to workspaces to help define ownership, allowing multiple workspaces to provide layers, and the ability to add multiple VCS providers, including public and private repositories. Multiple authentication methods: and this is just the free version. The features expand with the costed versions; Teams & Governance and Business. For a more in-depth investigation into the differences between each version of Terraform, from the free open-source version to the fully featured self-hosted Enterprise version, have a quick read of this article, “Terraform Editions Explained: Cloud, Enterprise and OSS.”
Terraform Cloud – How to get started?
One of the best things about Terraform Cloud is that the barrier to entry is set very low; there is a free tier and unlike most products, the free tier is free for life. The free version may appear to provide basic functionality when compared to the costed versions, but as a product, it is not to be trifled with. For example, we have State Management, Remote Operations and a Private Module Registry, these are powerful tools.
For this article, we will concentrate on the features of the free tier and how to set up your environment.
Terraform Cloud – Initial Set-up
After pointing your favourite browser at the following website (https://app.terraform.io), you will find two options for logging in; you can log in with your HCP (Hashicorp Cloud Platform) account or with a username and password. If you already have an account, either on HCP or direct with Terraform Cloud you can skip this section.
To sign up, click the link “Free Account” this will open up the following form.
Terraform Cloud – First Login and initial configuration
That is the easy bit over and done with, you have an account, and your own terraform place in the cloud. Now it is time to start the configuration. After logging on for the first time, you will be presented with the following screen.
If you have experience with Terraform Cloud, then choose the “Start from Scratch” option; that said, if you have the experience, why are you reading this 101 HowTo basic 😊. We will assume no prior knowledge for this article, so select the “Try an Example Configuration” option. After clicking the box, you will be presented with the following page.
You may not be familiar with the “terraform login” command, as it is initially used to create an API token for Terraform Cloud, or Terraform Enterprise (the on-premises version of Terraform Cloud). When running the command without a host name the command will assume that you are creating a token for Terraform Cloud. After the successful running of the command, you will be presented with the following in your terminal.
Point your browser at the location shown in the above image. This should result in the following page being rendered:
Click the “create API token” button
Copy the token and return to the terminal and enter the copied API token at the prompt.
If you return to Terraform Cloud instance you will see that there is now a registered token showing:
If you now open the side menu you will notice that it is now filled out with several items
Having a look around
The “Profile” section is where you set up your individuality. The “Sessions” item will inform you of where sessions are being brokered from,
Here we can see my IP address; as this is my session, no Revoke button is visible. However, any other sessions that are connected to TFC will show this button, which will enable you to revoke any unknown sessions.
The “Password” Item is, surprisingly, the method used to change a password. Under the “Two Factor Authentication” item, you can configure MFA. You have two options Application (an OTP application like Google or Microsoft Authenticator) or an SMS message being sent to your cell phone, HashiCorp recommend setting both as a backup; that said if I lost my Authenticator device, I would also have lost my phone, so I would not be able to receive my SMS message.
Highlight the Application and click the “Enable 2FA” button. This will open a form with a QR code; follow the procedure to add a new account to your Authenticator application of choice, then add the displayed code and click verify to complete.
You will now see the following form, here you can disable 2FA if you wish.
If you remember previously that I mentioned that HashiCorp recommended that you chose both the authenticator and SMS methods of MFA verification well here is a third backdoor get of our jail free card. Click on the reveal Codes, this will display 11 one-time usage codes. Click the download button to save this to your PC in a safe place.
SSO is not available to Free Terraform Cloud users. So, this section will only show your manually created user accounts.
The last Item is the Organisation option; this is the meat of the TFC environment. Clicking the option reveals the following:
Be brave and click the “Create New Organization” button to reveal the following; enter a unique Organisation name and click “Create Organization”.
After creating your organisation, you will notice that your menu has again changed.
We now have a “Workspaces,” “Registry” and a “Settings” section.
We will start with the Settings section; this is where your configuration has moved to now that you have created an Organisation. On entering this section, you will note that you have three sub-menus, “Organisation Settings”, “Security”, and “Version Control”; we will investigate each separately starting with “Organisation Settings”. There are several options under this sub-heading starting with General, this is where you rename, or change the email registered with the organisation, or completely delete it. Remember this is a permanent deletion, there is no recycle bin in Terraform Cloud.
Planning and billing, shows you your current payment plan, offers the ability to change your plan to a costed version, and allows you to see your invoices.
The next three option are self-explanatory, we have Tags, this is where you set your tag options to ease workspace management and resource identity; Teams, where you group users for collaboration, and Users where your users are identified, invited and removed. The final option for this sub-set is “Variable Sets”. You will spend a significant period of time in this section when configuring your environment, this is where you configure workspace variables. There are four specific types available.
|Run-Specific||Apply to a specific run within a single workspace||Specify Run-specific Variables|
|Workspace Specific||Apply to a single workspace||Create Workspace-Specific Variables, Loading Variables from Files, Workspace-Specific Variables API|
|Variable Set||Apply to Multiple workspaces within the same organisation||Create Variable Sets and Variable Sets API|
|Global Variable Set||Automatically applied to all current and future workspace within an organisation||Create Variable Sets and Variable Sets API|
I would recommend reading this page for greater depth:
The Second sub-heading is security, the first item is API Tokens, you will find three options, each option has varying scope within or across Organisations. The user Token is the only token that can be granted permissions across multiple organisations and is individual to a user. User Tokens are created on the relevant user’s section under “Users.” The second token is a “Team Token;” these are used by Services for example a CI/CD pipeline or service principle in Azure; they apply to a Workspace only. To configure a Teams token, navigate to the “Teams” page under organisation settings and select the specific Team. The final option is an “Organisation Token;” these are used to manage teams, team membership and workspace, they cannot be used to perform deployments or plans within a workspace. For deeper information read this page.
The final sub-section is “Version Control.” There are three options under this section the first General, regards setting the status of speculative plans, pull requests and share repositories. On Frist look this can seem confusing. But at its most basic it refers to blocking some status check being sent to your VCS.
The second option is “Events,” this section at the time of writing is currently in Beta and only supports new connections to “GitLab“. HashiCorp are going to add other providers but currently is it of little interest to “GibHub“, “BitBucket” and the other VCS provider users.
The final setting is “Providers,” this is where you set up your connection to a VCS provider.
So, let’s go ahead and configure the connection to your code repository. Click on the “Add a VCS provder” button or the link “Add one now”. As you can see there are currently four options, these cover main player in the version source code space and will account for the vast majority of repositories out in the wild.
We are going to connect a GitHub VCS in this article, the process for the other providers is very similar. Click on the “GitHub” button, you will see that you have the option to connect to an “On-Premises GitHub Enterprise” deployment or a “GitHub.com” SaaS environment. Click the second option this leads you to a very busy form with a lot of information and options.
Click on the “Register a new OAuth Application” link and fill in the details from the TFC form in section one on the GitHub OAuth application form; click “Register application” to complete. One point to note is if you are going to have headless access to your Git repository remember to check the “Enable Device Flow” button.
After clicking the “Register Application” you will receive something similar to the response below.
You version will still be showing the secret ID copy this as you will not be able to recover the token again. Return to your TFC instance and copy the “Client ID” and the “Secret ID” from GitHub to the fields in part 2 of the Setup Provider form.
Once complete click “Connect and continue.” This will, if successful, redirect you to the following response from GitHub.com.
To Complete the process, click “Authorise <You Account Details Here>”. You will receive an email telling you that you have added a Third party from GitHub.
You now have the option of setting up a SSH Keypair, this is an optional process, and the majority of organisations will not require one, and the only time one is actually needed it to access Git submodules that can only be accessed via SSH. It is advised that you speak to your security team for advice on this matter. I will leave the decision on SSH Keypair requirement to you. We will click ”Skip and finish.” You will be redirected to a form similar to the following.
One final thing to note is that you can go back and add an SSH key if you later find out that one is needed.
This is a perfect place to finish this Article, we have created our account and connected our VCS. In the next article we will configure Terraform Cloud to do useful work by building out a new workspace in your Organisation.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.