The easiest way to create Terraform Modules and set up Terraform Cloud with github.com and AWS
Hopefully, this post makes working with Terraform modules easy for beginners.
We will primarily work with aws provider and use github.com and terraform cloud to create our module and a resource in an aws region.
Problem: When I started working with Terraform modules, it was confusing and time taking to get the project up and running quickly. Please note this article does not provide a walkthrough about publishing the module to a public or private registry but only to structure it, write the code, integrate with terraform cloud and create a sample aws resource.
Pre-requisite: You will need basic knowledge of Go since we will clone a github.com public repo and build the project to create an executable and run the executable to create the initial terraform module structure.
Assumption: You are using MacOS.
Go to your terminal and cd into wherever you would like to clone this repo.
git clone https://github.com/aakashbanerjee/gentfmodlayout.git
go build gentfmod.go
Go 1.15 is required and if all goes well you will have the executable gentfmod
Now let’s create the symlink so you can execute this from anywhere.
sudo ln -s -f /Users/username/gentfmodlayout/gentfmod /usr/local/bin
Remember /Users/username/gentfmodlayout/gentfmod this should be updated to wherever your executable resides. -f will just force even if the file exist.
Now let’s go to github.com and create a simple repo for our terraform and clone it.
Go back to terminal and clone this repo
git clone path to your tfcloudsetuptest repo
Open this project in your favorite IDE and you will see there are no files except for a gitignore. That is fine. At this point if we didn’t have the go executable gentfmod ready, we would have to create the terraform folder structure etc from scratch. Here’s the magic!
go back to terminal and cd into the tfcloudsetuptest project folder if you are not already in it. Run…
Enter terraform module name:
(Since the test code example is generated to create an iam access analyzer resource) You can name it anything.
Press Enter. You will see…
Creating terraform module iamaccessanalyzer folders and files at /Users/username/tfcloudsetuptest
Successfully created folders and generated files to write structured Terraform modules following best practices.
Let’s go back to the IDE and see what happened.
Awesome! now we have folder structure and files ready to go with sample code to create IAM Access Analyzer in us-east-1 with a root module and a child module.
Now let’s go into provider.tf first. We need to update the code with an IAM Role ARN, Session Name that Terraform Cloud will assume to create the resources in our AWS account. So if you do not have this setup follow along.
Create a user first with read only access. We will generate the access keys for this user and setup our Terraform cloud Workspace.
You can name the user : terraform
Attach Managed Policy: ReadOnlyAccess
Go to the security credentials tab for this user and generate the access keys and note down the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for this user.
Now click on Roles. Create a new role tfprovisioner and attach the AdministratorAccess managed policy for now. If you have the time I highly recommend going for Least privilege in this case we will only IAM Access Analyzer full access.
Click on trust relationship and add this json. Basically this says trust the user terraform to assume the tfprovisioner role and do whatever this role allows to do in my aws account.
Once done let’s login to Terraform Cloud. What an awesome tool for Infrastructure as code. Thanks to all the hard work that people at Hashicorp do.
We will setup a workspace in Terraform Cloud and integrate that workspace with our github.com repository tfcloudsetuptest to track changes to the folder /tf and run plans on any code changes automatically.
Create New Workspace
Choose Version Control Workflow and then authorize github.com where your repo is. Your repo will show up in the terraform cloud list. Select the tfcloudsetuptest repo.
Click on Advanced Options and add /tf in the terraform working directory field.
That’s it click Create Workspace.
Once the workspace is created, click on Variables for this workspace and add the AWS keys generated for the read only terraform user. Mark these fields sensitive.
The Workspace is now all set. Let’s push our terraform code to github.com and see if Terraform is able to pick it up and run a Plan for us.
Go back to your project folder in terminal (tfcloudsetuptest)
git add .
git commit -m “first commit”
Go to your Terraform Workspace and click Queue Plan since this is the first time. From the next time Terraform will automatically track changes and auto plan.
How awesome! Terraform now detected that 1 resource needs to be created in AWS.
Just click Confirm and Apply.
Now navigate to AWS Console and IAM > Access Analyzers and you should see your resource has been created.
That is all folks. Hope this helpful. Please feel free to comment and let me know of any issues/risks.
**Please note the Go code I wrote does have a lot of hardcoded strings, I just wanted to get a little project up and running so I don’t have to manually create directories and files for every new terraform module I start writing.**