Terraform
Create a credentials variable set
HCP Terraform lets you define input and environment variables using either workspace-specific variables, or sets of variables that you can reuse in multiple workspaces. Variable sets allow you to avoid redefining the same variables across workspaces, so you can standardize common configurations throughout your organization. One common use case for variable sets is for provider credentials. By defining a variable set for your credentials, you can easily reuse the same variables across multiple workspaces and efficiently and securely rotate your credentials.
In this tutorial, you will create a variable set for your AWS credentials.
Prerequisites
This tutorial requires:
- an HCP Terraform account and organization
- an AWS account
Create a variable set
You can define both input variables and environment variables in variable sets. Input variables define the values for variables you reference in your configuration, while environment variables typically store provider credentials or modify Terraform's behavior, such as logging verbosity.
To create a variable set, navigate to your organization's Settings, then to Variable sets.
Next, click Create variable set.
Name the variable set "AWS Credentials".
You can apply a variable set to all workspaces in your organization, or scope it to specific workspaces or projects. When using variable sets with credentials, reuse the variable set with care and avoid the global scope, since it does not follow least privilege best practices.
If you created an organization just for HashiCorp tutorials, select Apply globally as the variable set scope.
Note
If you run HashiCorp tutorials in an organization that also contains other workspaces, or would prefer to keep your variable set scoped, select Apply to specific projects and workspaces and do not select any projects or workspaces. You can assign a variable set to a workspace through a specific workspace's variables page.
Next, define your AWS credentials as environment variables. Use an existing Access key ID and Secret access key or create a new pair in the IAM console.
Click +Add Variable. Select the Environment variable option. Set the
key to AWS_ACCESS_KEY_ID
and the value to your AWS Access Key ID. Mark
it as Sensitive and click Add variable.
Marking a variable as sensitive prevents Terraform from displaying it in the HCP Terraform UI and makes the variable write-only.
Now, click + Add Variable again. Define another environment variable named
AWS_SECRET_ACCESS_KEY
and set it to your AWS Secret access key. Mark it
as Sensitive and click Add variable.
Tip
If you have temporary AWS credentials, you must also add your AWS_SESSION_TOKEN
as an environment variable.
Now click Create variable set.
HCP Terraform now lists your new variable set on the Variable Sets page. It also shows the number of variables it contains and indicates that the set applies to all workspaces, since you selected the global scope.
Next Steps
In this tutorial, you created a global variable set. To learn more about variable sets, review the variable sets documentation.
Next, you will create and configure an HCP Terraform workspace.