Terraform
Store remote state
Now you have built, changed, and destroyed infrastructure from your local machine. This is great for testing and development, but in production environments you should keep your state secure and encrypted, where your teammates can access it to collaborate on infrastructure. The best way to do this is by running Terraform in a remote environment with shared access to state.
HCP Terraform allows teams to easily version, audit, and collaborate on infrastructure changes. It can also store access credentials off of developer machines, and provides a safe, stable environment for long-running Terraform processes.
In this tutorial, you will migrate your state to HCP Terraform.
Prerequisites
This tutorials assumes you have completed the previous tutorials. If not, create a directory named learn-terraform-azure-instance
and paste this code into
a file named main.tf
.
main.tf
terraform {
required_version = ">= 1.1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = "myTFResourceGroup"
location = "westus2"
}
Note
Because the cloud
block is not supported by older versions of Terraform, you must use 1.1.0 or higher in order to follow this tutorial. Previous versions can use the remote
backend block to configure the CLI workflow and migrate state.
Set up HCP Terraform
If you have a HashiCorp Cloud Platform or HCP Terraform account, log in using your existing credentials. For more detailed instructions on how to sign up for a new account and create an organization, review the Sign up for HCP Terraform tutorial.
Next, configure the cloud
block in your configuration with the organization name,
and a new workspace name of your choice:
main.tf
terraform {
required_version = ">= 1.1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}
cloud {
organization = "<ORG_NAME>"
workspaces {
name = "learn-terraform-azure"
}
}
}
provider "azurerm" {
features {}
}
Authenticate with HCP Terraform
Now that you have defined your HCP Terraform configuration, you must
authenticate with HCP Terraform in order to proceed with initialization. In
order to authenticate with HCP Terraform, run the terraform login
subcommand, and follow the prompts to log in.
Note
If you are using a version of Terraform prior to 0.12.21, the terraform login
command is not available. Instead, set up a CLI configuration file to authenticate.
$ terraform login
Terraform will request an API token for app.terraform.io using your browser.
If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:
/Users/username/.terraform.d/credentials.tfrc.json
Do you want to proceed? (y/n)
For more detailed instructions on logging in, see the login tutorial.
Migrate the state file
Now you are ready to migrate your local state file to HCP Terraform. Reinitialize your configuration to begin the migration. This causes Terraform to recognize your cloud
block configuration.
$ terraform init
Initializing HCP Terraform...
Do you wish to proceed?
As part of migrating to HCP Terraform, Terraform can optionally copy your
current workspace state to the configured HCP Terraform workspace.
Answer "yes" to copy the latest state snapshot to the configured
HCP Terraform workspace.
Answer "no" to ignore the existing state and just activate the configured
HCP Terraform workspace with its existing state, if any.
Should Terraform migrate your existing state?
Enter a value:
During reinitialization, Terraform presents a prompt saying that it will copy the state file to your HCP Terraform workspace. Enter yes
so Terraform will migrate the state from your local machine to HCP Terraform.
Enter a value: yes
Initializing provider plugins...
- Using previously-installed hashicorp/azurerm v3.0.2
HCP Terraform has been successfully initialized!
You may now begin working with HCP Terraform. Try running "terraform plan" to
see any changes that are required for your infrastructure.
If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.
When using HCP Terraform with the CLI-driven workflow, you can choose to have Terraform run remotely, or on your local machine. The default option is remote execution — HCP Terraform will perform Terraform operations remotely. When using local execution, HCP Terraform will execute Terraform on your local machine and remotely store your state file in HCP Terraform. For this tutorial, you will use the default remote execution option for the workspace.
Now that Terraform has migrated the state file to HCP Terraform, delete the local state file.
$ rm terraform.tfstate
Configure a Service Principal
If you are not already logged in to Azure, use the Azure CLI to log in to your account.
$ az login
Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use.
A Service Principal is an application within Azure Active Directory whose authentication tokens can be used as environment variables in HCP Terraform. For more information, visit the Azure documentation.
First, list the Subscriptions associated with your Azure account.
$ az account list
[
{
"cloudName": "AzureCloud",
"id": "00000000-0000-0000-0000-000000000000",
"isDefault": true,
"name": "PAYG Subscription",
"state": "Enabled",
"tenantId": "00000000-0000-0000-0000-000000000000",
"user": {
"name": "user@example.com",
"type": "user"
}
}
]
Select a subscription and copy its id
field value. This is the Subscription ID related to your account. Paste this value into the command below with your own Subscription ID and save the value. You will use it later to give HCP Terraform access to your Azure account.
$ az account set --subscription="SUBSCRIPTION_ID"
Create the Service Principal with the same Subscription ID.
$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"
Creating a role assignment under the scope of "/subscriptions/SUBSCRIPTION_ID"
{
"appId": "00000000-0000-0000-0000-000000000000",
"displayName": "azure-cli-2017-06-05-10-41-15",
"name": "http://azure-cli-2017-06-05-10-41-15",
"password": "0000-0000-0000-0000-000000000000",
"tenant": "00000000-0000-0000-0000-000000000000"
}
Copy this output somewhere safe.
Update the HCP Terraform environment variables
Now that you have the authentication information for your account, navigate to the learn-terraform-azure
workspace in the HCP Terraform UI.
Find the Variables tab and create the below environment variables using the values you put into and got back from the last command. Set the ARM_CLIENT_SECRET
as a sensitive value.
Environment Variable | AZ CLI |
---|---|
ARM_SUBSCRIPTION_ID | SUBSCRIPTION_ID from the last command's input. |
ARM_CLIENT_ID | appID from the last command's output. |
ARM_CLIENT_SECRET | password from the last command's output. (Sensitive) |
ARM_TENANT_ID | tenant from the last command's output. |
Update and save these four environment variables. Set the ARM_CLIENT_SECRET
as a sensitive value. Review your environment variables to ensure they match the example below.
Apply the configuration
Now, apply your configuration including the required variables. Terraform will tell you that there are no changes.
$ terraform apply
## ...
No changes. Infrastructure is up-to-date.
This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, Terraform
doesn't need to do anything.
Terraform is now storing your state remotely in HCP Terraform. Remote state storage makes collaboration easier and keeps state and secret information off your local disk. Remote state is loaded only in memory when it is used.
Destroy the infrastructure
Destroy your infrastructure, and remember to confirm with a yes
.
$ terraform destroy
Next Steps
This concludes the getting started tutorials for Terraform. Now you can use Terraform to create and manage your infrastructure.
For more hands-on experience with the Terraform configuration language, resource provisioning, or importing existing infrastructure, review the tutorials below.
Configuration Language - Get more familiar with variables, outputs, dependencies, meta-arguments, and other language features to write more sophisticated Terraform configurations.
Modules - Organize and re-use Terraform configuration with modules.
Import - Import existing infrastructure into Terraform.
To read more about available configuration options, explore the Terraform documentation.
Learn more about HCP Terraform
HCP Terraform supports two main workflows for performing Terraform runs:
- A VCS-driven workflow, in which it automatically queues plans whenever changes are committed to your configuration's VCS repo.
- An API-driven workflow, in which a CI pipeline or other automated tool can upload configurations directly.
For a hands-on introduction to the HCP Terraform VCS-driven workflow, follow the HCP Terraform getting started tutorials. HCP Terraform also offers commercial solutions which include team permission management, policy enforcement, agents, and more.