Configure the pipeline to run Terraform plan

• Check out the git diff of this step here (opens new window).

• Check out the git diff of this step here (opens new window).

• Check out the git diff of this step here (opens new window).

To complete this step, we will use what we previously saw in Step 2 by adding a new job to run Terraform if our unittest job succeed. The goal is to configure a new resource to run Terraform and use it in a dedicated job.

Additionally to that, the Terraform code will be stored in your Git repository, inside the stacks branch. This means we will also configure a git resource in the pipeline to get the content of the stacks branch.

Follow those steps to apply all changes described in this step

export GIT_REPO=$(git remote get-url origin)
mkdir stack-sample/terraform
wget -O stack-sample/terraform/provider.tf https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-aws/stack-sample/terraform/provider.tf
wget -O stack-sample/pipeline/pipeline.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-aws/stack-sample/pipeline/pipeline.yml
wget -O stack-sample/pipeline/variables.sample.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-aws/stack-sample/pipeline/variables.sample.yml
sed -i "s#git@github.com:cycloid-community-catalog/docs-step-by-step-stack.git#$GIT_REPO#" stack-sample/pipeline/variables.sample.yml

# Azure configuration, make sure to replace the following variable content regarding your own Azure account configuration
export AZURE_RESOURCE_GROUP_NAME=cycloid-demo
export AZURE_LOCATION=francecentral
export AZURE_ENV=public
export TERRAFORM_STORAGE_CONTAINER_NAME=cycloid-demo

export GIT_REPO=$(git remote get-url origin)
mkdir stack-sample/terraform
wget -O stack-sample/terraform/provider.tf https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-azure/stack-sample/terraform/provider.tf
wget -O stack-sample/pipeline/pipeline.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-azure/stack-sample/pipeline/pipeline.yml
wget -O stack-sample/pipeline/variables.sample.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-azure/stack-sample/pipeline/variables.sample.yml
sed -i "s#git@github.com:cycloid-community-catalog/docs-step-by-step-stack.git#$GIT_REPO#" stack-sample/pipeline/variables.sample.yml
sed -i "s/azure_resource_group_name:.*/azure_resource_group_name: $AZURE_RESOURCE_GROUP_NAME/g" stack-sample/pipeline/variables.sample.yml
sed -i "s/azure_location:.*/azure_location: $AZURE_LOCATION/g" stack-sample/pipeline/variables.sample.yml
sed -i "s/azure_env:.*/azure_env: $AZURE_ENV/g" stack-sample/pipeline/variables.sample.yml
sed -i "s/terraform_storage_container_name:.*/terraform_storage_container_name: $TERRAFORM_STORAGE_CONTAINER_NAME/g" stack-sample/pipeline/variables.sample.yml

export GCP_PROJECT_NAME=my_gcp_project

export GIT_REPO=$(git remote get-url origin)
mkdir stack-sample/terraform
wget -O stack-sample/terraform/provider.tf https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-gcp/stack-sample/terraform/provider.tf
wget -O stack-sample/pipeline/pipeline.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-gcp/stack-sample/pipeline/pipeline.yml
wget -O stack-sample/pipeline/variables.sample.yml https://raw.githubusercontent.com/cycloid-community-catalog/docs-step-by-step-stack/Step3-gcp/stack-sample/pipeline/variables.sample.yml
sed -i "s#git@github.com:cycloid-community-catalog/docs-step-by-step-stack.git#$GIT_REPO#" stack-sample/pipeline/variables.sample.yml
sed -i "s/gcp_project:.*/gcp_project: $GCP_PROJECT_NAME/" stack-sample/pipeline/variables.sample.yml

Starting with the Terraform code. Let's create a dummy Terraform configuration with the cloud provider we want to use for Terraform in a provider.tf file.

TIPS

If you are not comfortable with Terraform, we encourage you to follow Terraform getting started (opens new window) documentation.

The content of the provider.tf specifies the provider configuration (GCP (opens new window), AWS (opens new window), AzureRM (opens new window)) and variables (opens new window) to configure it. Those variables will be provided by the pipeline.

stack-sample/terraform/provider.tf

variable "customer" {}
variable "project" {}
variable "env" {}

variable "git_code_commit" {
  default = "origin/code"
}
variable "git_code_repo" {
  default = "https://github.com/cycloid-community-catalog/docs-step-by-step-stack.git"
}

# Aws
provider "aws" {
  access_key = var.access_key
  secret_key = var.secret_key
  region     = var.aws_region
}
variable "access_key" {}
variable "secret_key" {}
variable "aws_region" {}

variable "customer" {}
variable "project" {}
variable "env" {}

# Azure
variable "azure_client_id" {}
variable "azure_client_secret" {}
variable "azure_subscription_id" {}
variable "azure_tenant_id" {}
variable "azure_env" {
  default = "public"
}
variable "azure_resource_group_name" {}
variable "azure_location" {
  default = "francecentral"
}

# Source code
variable "git_code_commit" {
  default = "origin/code"
}
variable "git_code_repo" {
  default = "https://github.com/cycloid-community-catalog/docs-step-by-step-stack.git"
}

# Azure
provider "azurerm" {
  version = "~> 1.42.0"

  environment     = var.azure_env
  client_id       = var.azure_client_id
  client_secret   = var.azure_client_secret
  subscription_id = var.azure_subscription_id
  tenant_id       = var.azure_tenant_id
}

variable "customer" {}
variable "project" {}
variable "env" {}

variable "git_code_commit" {
  default = "origin/code"
}
variable "git_code_repo" {
  default = "https://github.com/cycloid-community-catalog/docs-step-by-step-stack"
}

# GCP
provider "google" {
  version = "~> 2.18.0"
  project = var.gcp_project
}
variable "gcp_project" {
  default = "cycloid-demo"
}
variable "gcp_zone" {
  default = "europe-west1-b"
}

Several input variables have been defined to configure the cloud provider and two variables to pass the source code git repository URL that we will use and explain in the next step. The provider.tf usually also contain some generic variables like customer, project and env as most of our customer use them in Terraform to tag/name cloud resources.

Now add a Terraform resource into the pipeline. As Terraform is not part of the core resources type (opens new window) of Concourse, the first thing is to specify a new terraform resource type in the dedicated root section resource_types.

TIP

When to use a task or a resource in a pipeline?

In our case, we could have provided our container image with Terraform already installed on it and called the terraform command. A resource usually is here to simplify a task. It makes something more generic and easy to use with embedded scripts. A resource also creates versions that can be used between different jobs as triggers.

If you are interested in creating your own resource, follow the Concourse (opens new window) documentation.

stack-sample/pipeline/pipeline.yml

resource_types:
  - name: terraform
    type: docker-image
    source:
      repository: ljfranklin/terraform-resource
      tag: '0.12.24'

The source code of this resource can be found here (opens new window).

From there, a new terraform resource type is available and can be configured. The following sample configures a resource called tfstate of our new terraform type:

stack-sample/pipeline/pipeline.yml

resources:
...
- name: tfstate
  type: terraform
  source:
    env_name: ((env))
    backend_type: s3
    backend_config:
      bucket: ((terraform_storage_bucket_name))
      key: terraform.tfstate
      workspace_key_prefix: ((project))
      region: ((aws_default_region))
      access_key: ((aws_access_key))
      secret_key: ((aws_secret_key))
    vars:
      access_key: ((aws_access_key))
      secret_key: ((aws_secret_key))
      aws_region: ((aws_default_region))
      env: ((env))
      project: ((project))
      customer: ((customer))

resources:
...
- name: tfstate
  type: terraform
  icon: terraform
  source:
    env_name: ((env))
    backend_type: azurerm
    backend_config:
      container_name: ((terraform_storage_container_name))
      key: ((terraform_storage_container_path))/((project))-((env)).tfstate
      resource_group_name: ((azure_resource_group_name))
      storage_account_name: ((terraform_storage_account_name))
      access_key: ((terraform_storage_access_key))
    vars:
      azure_resource_group_name: ((azure_resource_group_name))
      azure_location: ((azure_location))
      azure_env: ((azure_env))
      azure_client_id: ((azure_client_id))
      azure_client_secret: ((azure_client_secret))
      azure_subscription_id: ((azure_subscription_id))
      azure_tenant_id: ((azure_tenant_id))
      env: ((env))
      project: ((project))
      customer: ((customer))

- name: tfstate
  type: terraform
  icon: terraform
  source:
    env_name: ((env))
    backend_type: gcs
    backend_config:
      bucket: ((terraform_storage_bucket_name))
      prefix: ((project))/((env))
      credentials: ((gcp_credentials_json))
    vars:
      gcp_project: ((gcp_project))
      gcp_zone: ((gcp_zone))
      env: ((env))
      project: ((project))
      customer: ((customer))
    env:
      GOOGLE_PROJECT: ((gcp_project))
      GOOGLE_ZONE: ((gcp_zone))
      GOOGLE_CREDENTIALS: ((gcp_credentials_json))

Some explanations: Terraform stores the status of the infrastructure in a file called tfstate (opens new window). This file can be stored in different backends. In this example, we decided to use our cloud provider object store as backend type (opens new window) to store this file. The backend_type parameter defines this, then configured in the backend_config section, using pipeline variables defined below. Refer to the dedicated Terraform documentation to know more about your backend storage configuration.

The vars section defines a collection of Terraform input variables (opens new window) provided by the pipeline. Variables are given by the pipeline to Terraform. The most common ones are the cloud provider credentials that we defined in provider.tf and the extra customer/project/env that we previously saw.

Small detour by variables.sample.yml file to add our new pipeline variables:

stack-sample/pipeline/variables.sample.yml

git_ssh_key: ((ssh_key.ssh_key))

# Branch used to store the config of the stack
git_repository: git@github.com:cycloidio/my_git_repository.git
stack_git_branch: stacks

# Aws access to use inside the pipeline
aws_access_key: ((aws_step-by-step.access_key))
aws_secret_key: ((aws_step-by-step.secret_key))
aws_default_region: eu-west-1

# Terraform tfstate storage Configuration
terraform_storage_bucket_name: ($ organization_canonical $)-terraform-remote-state
terraform_storage_bucket_path: ($ project $)

git_ssh_key: ((ssh_key.ssh_key))

# Branch used to store the config of the stack
git_repository: git@github.com:cycloidio/my_git_repository.git
stack_git_branch: stacks

# Terraform tfstate storage Configuration
terraform_storage_container_path: ($ project $)/($ environment $)
terraform_storage_container_name: cycloid-demo
terraform_storage_access_key: ((azure_storage_step-by-step.access_key))
terraform_storage_account_name: ((azure_storage_step-by-step.account_name))

azure_resource_group_name: cycloid-demo
azure_location: francecentral
azure_env: public

azure_subscription_id: ((azure_step-by-step.subscription_id))
azure_tenant_id: ((azure_step-by-step.tenant_id))
azure_client_id: ((azure_step-by-step.client_id))
azure_client_secret: ((azure_step-by-step.client_secret))

git_ssh_key: ((ssh_key.ssh_key))

# Code repo configuration
code_git_public_repository: https://github.com/cycloid-community-catalog/docs-step-by-step-stack.git
code_git_branch: code

# Branch used to store the config of the stack
git_repository: git@github.com:cycloidio/my_git_repository.git
stack_git_branch: stacks

# Terraform tfstate storage Configuration
terraform_storage_bucket_name: ($ organization_canonical $)-terraform-remote-state
terraform_storage_bucket_path: ($ project $)

gcp_project: cycloid-demo
gcp_zone: "europe-west1-b"
gcp_credentials_json: ((gcp_step-by-step.json_key))

We added several variables related to our pipeline changes.

• git: to provide the SSH key to get Terraform code from your private git repository (git_ssh_key). As well as the branch and URL to use (stack_git_branch, git_repository)
• cloud provider: to configure the cloud provider access and Terraform tfstate file storage.

As you can see, the value of some variables has a specific format ((myvalue)). For example, in line 1, the value of this pipeline variable will be provided by a Cycloid credential. The one you previously created in the section prepare Cycloid credentials. See pipeline variable documentation for more information to use Cycloid credentials into a pipeline.

Getting back on the pipeline file to configure a git resource to get the dummy Terraform source code from our stacks branch.

stack-sample/pipeline/pipeline.yml

resources:
...
- name: git_stack
  type: git
  source:
    uri: ((git_repository))
    branch: ((stack_git_branch))
    private_key: ((git_ssh_key))
    paths:
      - stack-sample/terraform/*

We also added a filter on Terraform path using paths to trigger terraform jobs only when commits change terraform files.

Standard pipeline behavior with Terraform is to run Terraform plan (opens new window). It's a convenient way to check the execution plan for a set of changes that matches your expectations without making any changes to real resources. Then create a second job to apply those changes by calling Terraform apply (opens new window).

Let's start and create the dedicated job to run terraform plan command just after unittest job (passed argument) and speak about terraform apply in the next step:

stack-sample/pipeline/pipeline.yml

jobs:
...
  - name: terraform-plan
    max_in_flight: 1
    build_logs_to_retain: 10
    plan:
      - do:
        - get: git_stack
          trigger: true
        - get: git_code
          trigger: true
          passed:
            - unittest
        - put: tfstate
          params:
            plan_only: true
            terraform_source: git_stack/stack-sample/terraform

An important point is the passed parameter that you can put on get action. This keyword links jobs together to ensure that we will get the code already processed by the unittest job.

This job gets Terraform code from git_stack resource, which is our git on the stacks branch. Then call put (opens new window) on Terraform resource (tfstate) using plan_only parameter to specify that we want only to run terraform plan.

Don't forget to add this job to a group:

stack-sample/pipeline/pipeline.yml

groups:
- name: overview
  jobs:
  - unittest
  - terraform-plan

Click on the terraform-plan job and see Terraform logs saying we successfully run it with 0 changes.

Add and commit those changes in Git:

git add .
git commit -m "Step 3"
git push origin stacks

Get back to Cycloid's dashboard, and click on the Refresh pipeline button .

---

Key points to remember

• As Terraform is not part of the core resources type (opens new window) of Concourse, the first thing is to specify a new terraform resource type in the dedicated root section resource_types
• Terraform stores the status of the infrastructure in a file called tfstate (opens new window). This file can be stored in different backends
• Standard pipeline behavior with Terraform is to run Terraform plan (opens new window) then Terraform apply (opens new window)