Get started with Terraform Cloud using GitHub and AWS.

.gitignore

 ________  ________  ___  __    ___     
|\_____  \|\   __  \|\  \|\  \ |\  \    
 \|___/  /\ \  \|\  \ \  \/  /|\ \  \   
     /  / /\ \   __  \ \   ___  \ \  \  
    /  /_/__\ \  \ \  \ \  \\ \  \ \  \ 
   |\________\ \__\ \__\ \__\\ \__\ \__\
    \|_______|\|__|\|__|\|__| \|__|\|__|
    
ignore Azure, GCP

README.md

• Programming: HCL
• Repository: GitHub
• Cloud: Terraform Cloud (app.terraform.io), AWS
• Database: DynamoDB

Gist writing, testing and debugging : 12 hrs

The following gist is intended to DevOps Engineers and Data Architects and is part of my cloud series.
It will help you start with Terraform Cloud using GitHub and AWS.

Thanks for forking this gist if you find it useful.

How this gist is structured

This gist is structured into 6 parts.

Part 1. Get started with Terraform Cloud UI
Part 2. Plan an apply a configuration
Part 3. Update variables
Part 4. Cost estimation and mitigation
Part 5. Sentinel Policies and Policy Sets.md Part 6. Destroy Infrastructure

Terraform is a freemium Infrastructure as Code tool which can help you deploy IT infrastructures from configuration files rather than interracting with your tools UIs.

Terraform is mainly dedicated to CI/CD projects and to DevOps Engineers, Cloud Engineers, Data Architects.

You can use Terraform locally in your Shell or in the Cloud (scope of this gist). Before diving deeper into Terraform, I recommend having prior knowledge of programming in any language, or in Cloud computing.

| Some useful resources
. https://www.terraform.io/docs/cloud/index.html
. https://www.terraform.io/docs/cloud/paid.html

Related tags

• AWS
• Terraform
• Terraform Cloud
• Terraform Cloud UI

LICENSE

MIT License

Copyright (c) 2020 Isaac Arnault

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Part_1_Get_Started.md

This gist will help you get started with Terraform Cloud.

Prerequisites

You must have a github account. If not, create a Github account for free: https://github.com/join.
Fork this repository: https://github.com/hashicorp/tfc-guide-example

Once you've completed the prerequisites, you are ready to take this part.

Get started

Create an account account..

🔵 See output

Log into your account and create new organization: mine is called Company123 (name must be a unique name).

🔵 See output

Create a new Workspace > Version control workflow.

Connect to VCS: choose Github since you now have a Github account.

🔵 See output

Authorize Terraform CLoud.

🔵 See output

. Install on a specific repository: choose the repository you've forked (seach for 'tfc', then 'Create workspace')

🔵 See output

. Wait until the configuration is uploaded.

🔵 See output

Part_2_Plan_and_Apply.md

Once you've completed the Part 1 of this gist, you are ready to begin this part.

In this section, we will provision a DynamoDB instance through Terraform Cloud.

Step 1 - Configure AWS (must have an AWS account)

We will retrieve our AWS credentials and set our Terraform Cloud variables to use those values.

Log into your AWS account. If you don't have an account, create one: https://portal.aws.amazon.com/billing/signup#/start.
You can access your console after Signing Up to AWS using this link: https://console.aws.amazon.com/console/home.

Once logged into your AWS console, go to IAM.
If you are new to AWS, please bypass all user configuration (green ticked marks below) for the sake of simplicity.

🔵 See output

. Click on Users > Add user

. Next: permissions > Create group: call it admins_terraform.

. Filter policies: search for AdministratorAccess in the search bar.

. Select the AdministratorAccess policy and click on 'Create group'.

🔵 See output

. Next: tags. Use as key: resources and as Value: terraform

. Next: review > create user > download the .csv file which contains security credentials for the user ' terraform_user'

Access key ID and a Secret access key were provided to you by AWS.

Be sure to keep these values in a secure location; you will use them in the next step.

You can keep this window opened and open a new AWS console window from your browser.

---

Important Follow `AWS` security best practices by deleting this user and the group created after completing this gist, since all security parameters for this user weren't fulfilled for the sake of simplicity.

Step 2 - Configure workspace variables

Go back to your Terraform Cloud window and click on 'Configure variables'

. Scroll down to Terraform variables > Add variables: here you'll create three (3) variables, one related to a user, and two related to the DynamoDB database: 'tag_user_name', 'db_write_capacity', 'db_read_capacity'.

. Do the same for Environment variables > Ass variables: create 2 variables 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY'.

🔵 See output

Step 3 - Queue and apply plan

. Click on Queue plan. When prompted, click on 'Confirm & Apply'.

🔴 See hint

If everything is set up correctly, you should have this:

🔵 See output

If you get an error, make sure you've followed the prerequisites (Get_Started section of this gist) and that you've set the 5 requested variables correctly.

You can go to your AWS console and check that the DynamoDB table was provisioned successfully.

🔵 See output

---

At the end of this part, you've configured your workspace and provisioned a `DynamoDB` instance using `Terraform Cloud`.

Part_3_Update_Variables.md

Step 1 - Change Infrastructure via Version Control

There are two (2) ways to update our workspace deployments on Terraform Cloud:

• change the configuration in VCS.
  or
  
• update variables in the Terraform Cloud UI.

---

Important - tools of our Workspace

Runs - shows a list of all of the plan and apply actions you have taken with this workspace.
States - shows a list of the entire tfstate file of your workspace after each successful run.
Variables - let you configure Terraform variables and environment variables.
Settings - contain all of the other configuration for your workspace.
Queue plan - lets you start a new plan.

---

Step 2 - Changing variables

In your Terraform Cloud UI, go to 'Variables'.
You can try changing your 'db_read_capacity' value from 2 to 1.

🔵 See output

Click on 'Queue plan' and you can set as reason: 'db_read_capacity update' (not mendatory).

🔴 See hint

You'll notice once queuing the plan that the log indicates that there are "0 to add, 1 to change, 0 to destroy", which corresponds to your update.

🔵 See output

Then 'Confirm & update' and wait for the update confirmation:

🔵 See output

Part_4_Cost_Estimation_and_Mitigation.md

Estimating and mitigating costs of our AWS deployed resources using Terraform Cloud can be useful in our daily job.

Prerequisites

In order to get the cost estimation of our deployed resources upon Queue plan, we make sure we move from a free plan to a paid plan.

On the top bar click on Settings > Plan & Billing.

Choose the Team & Governance free trial plan to try new Terraform Cloud tools for free (30 days free trial).

---

---

Now that we've switched to a paid plan, we should see that new tabs appeared in our left sidebar such as Cost Estimation, Policy Sets.

Click on Cost Estimation and make sure that Enable Cost Estimation for all workspaces is checked.

🔵 See output

Now we are ready to go.

Infrastructure cost mitigation using Terraform Cloud UI

Let's go back to our Terraform Cloud UI on our tfc-guide-example workspace to add new parameters.

Go to Terraform variables.

Add 1 new variable: aws_region and set us-west-1 as value.

Update db_read_capacity to 2.

🔴 See hint

Then click on Queue plan.

Applying our new plan will unlock a new Cost estimation feature in our UI.

---

---

By clicking on the Cost estimation tab we can see:

• Hourly
  
• Monthly
  
• Monthly Delta costs of our DynamoDB table deployed on AWS.

---

---

Finally, let's confirm that our DynamoDB was deployed on AWS:

• Log into our AWS console.
  
• Switch to us-west-1 region.
  
• Open DynamoDB service.

---

Here is our table!

🔵 See output

---

To mitigate our costs, we shouldn't forget to delete the DynamoDB table created, directly throughout our AWS console.

🔵 See output

Part_5_Sentinel_Policies_and_Policy_Sets.md

Doing part 5 is not mandatory.

But if we want to take advantage of your Team & Governance plan trial plan, we can set a Sentinel policy and a new Policy set.

---

Step 1 - Create a new Sentinel Policy and Policy Set

We connect to our Terraform Cloud UI, click on Settings, click on Policy Sets.

Now we will add a new Sentinel Policy. Click on Policies.

Create a new policy > call it tfc-guide-example-sentinel-policy

Description (not compulsory): 'First sentinel policy'.

Enforcement mode: choose Soft-mandatory

Policy code: add the following line of code

main = rule {
	true
}

• click on Create your first policy set
• connect to GitHub
• choose a repository: choose tfc-guide-example

🔴 See hint

Scope of policies > select Policies enforced on selected workspaces.

In the Workspaces box, select tfc-guide-example workspace, then Add workspace.

Next: click on connect policy set

🔴 See hint

---

Step 2 - Update GitHub repository

Now that we have a new Sentinel policy and a Policy Set, we should add one file into our GitHub repository otherwise we'll get some error while queueing our plan.

We go to tfc-guide-example repository that we've forked.

Click on Add file, then Create new file

🔴 See hint

Call the file allowed-terraform-version.sentinel and pass the following code onto it, then click on Commit

main = rule {
	true
}

Our newly created file should look like this:

🔵 See output

We have one Sentinel policy and one Policy Set configured as well as a new file created in our GitHub repository.

We are now ready to run a 'Queue plan'.

---

Step 3 - Queue plan to apply your policies

We go to our tfc-guide-example workspace and click on 'Queue plan'.

Upon completion, a new tab Policy check should appear in our UI.

If we have properly configured our Sentinel policy and Policy Set as well as our repository file, Policy check should pass.

---

Part_6_Destroy_Infrastructure.md

Destroying the infrastructure is part of Terraform normal workflow.

Destroy infrastructure

Go to your workspace in the Terraform Cloud UI.
From the top menu select "Settings -> Destruction and Deletion".

🔵 See output

. Queue destroy plan:

🔵 See output

Confirm and apply when prompted and wait for the destruction:

🔵 See output

You'll notice that you've destroyed the plan but your workspace is still alive.

🔵 See output

Go back to 'Settings' and proceed to the workspace deletion.

🔵 See output

Confirm Workspace deletion when prompted and wait for the destruction.

🔵 See output

In your Organization's workspace, you'll see that your tf-guide-example workspace was deleted.

🔵 See output

---

Important

Deleting a workspace does not destroy infrastructure that has been provisioned by that workspace.

This means that your AWS DynamoDB table you provisioned isn't destroyed after destroying the plan and infrastructure on Terraform Cloud.

Mitigating the cost of the Infrastructure, especially if you are a Data Architect / Solution Architect is quite important.

Please bear in mind that running costs may occure if you do not delete the resources provided by your Terraform actions.

---

Thus, feel free to go to your `AWS` console and delete the User, Group, DynamoDB table created upon this gist completion.

---

This gist is now completed. We have successfully completed parts 1 to 6.

---

---

We have learnt how to implement an Infrastructure as Code using Terraform Cloud and GitHub which helped us provision a DynamoDB table on AWS.
If you enjoyed this gist, thanks for forking it and do not hesitate to ask questions.