Version-Controlled Infrastructure with GitHub & Terraform

Version-Controlled Infrastructure with GitHub & Terraform

Feb 28 2017 Seth Vargo

At HashiCorp, we build open source tools that enable organizations to provision, secure, and run any infrastructure for any application. One of those tools is Terraform. Terraform enables you to safely and predictably write, plan, and provision infrastructure as code. It codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.

Terraform Workflow

resource "cloudflare_record" "web" { domain = "" name = "demo" value = "${digitalocean_droplet.web.ipv4_address}" type = "A" }

Terraform automatically handles the order of operations and parallelizes operations where possible. This parallelization enables provisioning of incredibly large infrastructures in minutes or even seconds.

Terraform can also execute a plan (dry-run) to plan and visualize the impact of changes before executing them. This is more beneficial when modifying existing infrastructure so you can easily understand rollout impact.

  • digitalocean_droplet.web disk: "<computed>" image: "ubuntu-16-04-x64" ipv4_address: "<computed>" ipv4_address_private: "<computed>" ipv6_address: "<computed>" ipv6_address_private: "<computed>" locked: "<computed>" name: "tf-web" region: "sfo1" resize_disk: "true" size: "512mb" status: "<computed>" vcpus: "<computed>"

Plan: 2 to add, 0 to change, 0 to destroy.

Once satisfied, we can apply these changes, creating real production infrastructure.

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Terraform Pro for Collaboration

The Terraform CLI works great for individuals, hobby projects, and small teams, but like most CLI tools, it tends to not scale well without a centralized coordination system. The objective is to make safe, predictable, and transparent infrastructure changes across a team regardless of the number of collaborators.

This challenge is not unique to Terraform. In fact, Git suffers from the same problem. Git is an excellent tool for managing source control, but lacks support for teams, permissions, ACLs, and reporting. Just like GitHub fills those requirements for Git, Terraform Pro bridges that gap for Terraform.

Terraform Pro is to Terraform what GitHub is to Git

Terraform Pro is designed for teams to collaborate on and organize many Terraform states, configurations, modules, and variables. At the core of that collaboration is our integration with version control systems like GitHub to take infrastructure as code configurations and turn it into real infrastructure on any provider.

Terraform Workflow with GitHub

After we have connected Terraform Pro to GitHub using the standard OAuth workflow, GitHub can automatically notify Terraform Pro of changes to code at the Version Control Software (VCS) layer. These change notifications, in the form of webhooks, automatically trigger a plan phase. Terraform Pro controls the version of Terraform, the ingress and egress permissions, and securely stores and manages provider credentials.

Here is the same code from the previous example, but it is now committed to a GitHub repository that is connected to Terraform Pro.

GitHub Code View

We can link this GitHub code repository to Atlas by authenticating with GitHub using OAuth, and providing Atlas with the information to access this repository.

Link to GitHub

After linking, when new branches are created on this repository, Terraform Pro will automatically execute a dry-run on the configuration changes and report back the results to GitHub through a Pull Request. Here is an example GitHub Pull Request that shows Terraform Pro is currently executing the plan phase of our changes.

GitHub PR Planning

After the plan is complete, Terraform Pro will report the results back to GitHub. Assuming the changes were valid and would successfully apply, a green checkmark will be visible.

GitHub Plan Succeed

Clicking on the details link takes us to Terraform Pro where we can see the exact plan output, just as if we had run Terraform ourselves locally in the terminal. Other members of our organization have visibility into this plan, and they can provide their feedback in Terraform Pro or GitHub.

Assuming these changes are approved, we can merge the code on GitHub. This will automatically trigger a new plan on Terraform Pro, and notify the appropriate parties via Slack, email, or a number of other notification methods. Once a plan has reached the default (master) branch, it can be confirmed, which will execute the apply phase of Terraform. This will change real infrastructure.

GitHub Merged


Confirming Plan

When we click "Confirm & Apply", Terraform Pro will execute and modify real infrastructure resources on the cloud.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now