\ /

Using the Terraform Cloud to save and protect the state file of a Terraform configuration

First of all, what is Terraform?

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform builds the infrastructure from configuration files that indicate the components of which an infrastructure must be composed.

Once the infrastructure is applied, Terraform has to save the configuration and state of its infrastructure.

How to store the state of the infrastructure?

This storage is in the Terraform state file. This file improves the performance of large infrastructures by tracking metadata, keeping track of the infrastructure, making changes to necessary components and allocating real-world resources.

This state can be stored locally in a file called "terraform.tfstate", but there is an option, which is to store this state remotely. This option allows the state to be stored securely and also facilitates teamwork.

The chosen remote backend is Terraform Cloud. The Terraform Cloud allows teams to easily version, audit and collaborate on infrastructure changes.

Before setting up the backend...

Before configuring the remote backend, it must be clear that you will be working with the Azure, which is the chosen provider for the configuration. Therefore, a number of steps need to be taken before working with the Terraform Cloud.

  1. Login in Azure using Azure CLI with the following command: “az login” . This command will start the browser to complete the authentication. In the CLI we will see the following:azbueno.png From the picture above the most important value is "id", it is Azure's subscription ID. This value is necessary for the next step
  2. Create the service principal account using the following command (Replacing the subscription id obtained previously): az ad sp create-for-rbac –role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID" --name "Azure-DevOps" despuesde AZLOGIN.png In the picture above, there are 3 values that will later have to be assigned to variables in Terraform together with the subscription id of azure:
    • appID: is the client_id
    • password: is the client_secret
    • tenant: is the tenant_id
  3. Add the configuring the Service Principal in Terraform
    • Define the following variables in variables.tf:variable.tf.png
    • The values of the variables are established in terraform.auto.tfvars ( This way of saving the azure credentials is not the most secure, it is used to display a small demo and show the Terraform backend in operation, but it would be safer to use vault to save these values):terraform.auto.tvars.png
    • Finally in the main.tf file the azure provider block is updated:main.tf.png

Remote backend configuration

To configure the remote backend of the Terraform Cloud, you need to register in the Terraform Cloud from the following link: https://app.terraform.io/

Once you have registered, to configure the backend you will work with, you must add the organization to which you belong and then it is convenient to add a workspace (otherwise one will be created by default when the changes are applied for the first time in Terraform), in which the state file will be stored.

In the following image you can see in the GUI the organization marked in red and the workspace marked in blue Screenshot_20200907_141956.png

The next step is to add in the main.tf file the terraform block in which the backend will be configured as follows: main.tf.terra.png

Once you have defined the backend to be used, you need to authenticate with the Terraform Cloud to continue with the authentication with the command “terraform login”.

In order to authenticate you will have to access the GUI and generate a token, the token cannot be organizational, valid tokens are User or Team tokens. In this case a user token has been generated as you can see in the following images: BUENAtoken.png tokesinto.png

Once the token is obtained, it is entered into the CLI as requested by the "terraform login" command as shown in the following image:terraformlogin.png

When the authentication is complete, execute the commands "terraform init" and "terraform apply" in order. Terraform now has its state stored remotely in the Terraform Cloud as shown below:

apply.png Todookey.png


In this tutorial you can learn an easy way to store the state of the infrastructure created with terraform in a remote backend. Terraform Cloud's remote storage makes teamwork easier, allowing you to connect your workspace to VCS, and securely store status and secrets. In addition, this backend can act as an enhanced backend, i.e. it can perform any standard action as any bakend and also has a remote execution environment that allows remote operations to be performed from the backend itself in the convenient workspace.

comments powered by Disqus