Managing variables in Terraform is crucial for flexibility and security in infrastructure automation. Terraform offers several methods to define and prioritize variables, which is particularly important in environments where configurations must be dynamic and secure, such as in continuous integration/continuous deployment (CI/CD) pipelines
In this article, we'll delve into the practical use of these variable management strategies in Terraform, especially focusing on a typical CI/CD setup using GitHub Actions. We'll also clarify how Terraform decides which variable values to use when different methods are combined.
Different Methods to Add Variables in Terraform
Terraform supports multiple methods for variable definition, each suitable for different scenarios:
-
Variable Definitions in Configuration Files (
variables.tf):
This is the most straightforward method where variables are defined with possible default values.
variable "machine_type" { description = "The type of the GCP instance" type = string default = "e2-micro" } -
Using
terraform.tfvarsFiles:
These files are used for setting variable values that override the defaults specified invariables.tf. Terraform automatically loads these values unless specified otherwise.
machine_type = "n1-standard-1" -
Environment Variables:
Terraform can also read from environment variables prefixed withTF_VAR_. This is useful for passing sensitive data or for overriding values in CI/CD pipelines without changing code.
export TF_VAR_machine_type="n1-standard-1" -
Command-line Flags:
For temporary overrides, such as during a manual deployment, you can specify variables directly on the command line.
terraform apply -var="machine_type=n1-standard-1"
Order of Precedence in Terraform Variables
Terraform evaluates these variable sources according to a specific order of precedence:
- Command-line flags
- Environment variables
- Terraform configuration files (
terraform.tfvarsor.auto.tfvars) - Variable defaults in
variables.tf
Understanding this hierarchy is essential for effectively managing variable values across different environments and deployment phases.
Example: Using Variables in GitHub Actions
Letβs consider a GitHub Actions workflow designed to deploy infrastructure on Google Cloud Platform using Terraform:
name: Deploy GCP Infrastructure
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
- name: Set up Google Cloud credentials
uses: google-github-actions/setup-gcloud@v2
with:
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- name: Create terraform.tfvars
run: |
echo "machine_type=\"n1-standard-1\"" > terraform.tfvars
echo "region=\"us-central1\"" >> terraform.tfvars
- name: Terraform Apply
run: terraform apply -auto-approve
env:
TF_VAR_machine_type: ${{ secrets.MACHINE_TYPE }}
TF_VAR_region: ${{ secrets.REGION }}
In this workflow:
-
terraform.tfvarsis generated dynamically in one of the steps. It setsmachine_typeandregionfor the Terraform apply. -
Environment variables (
TF_VAR_machine_typeandTF_VAR_region) are set in the Terraform Apply step using GitHub Secrets.
Given the order of precedence, the environment variables will override the values set in the terraform.tfvars file. This setup allows the workflow to configure defaults in terraform.tfvars while overriding these with more specific values securely managed through GitHub Secrets, ideal for different deployment environments or sensitive configurations.
Understanding how to manage and prioritize variable definitions in Terraform is key to deploying secure and adaptable infrastructure, particularly in automated environments like CI/CD pipelines. By strategically using GitHub Actions and Terraform together, developers can ensure that infrastructure deployments are both efficient and secure, aligning with best practices in DevOps environments.
Top comments (0)