Terraform Push

---

This is Terraform Push, a completely automated Multi-Cloud GitOps CI for Terraform.

📝 Table of Contents

• About
• Pre-Requisites
• Set-Up
• Usage
• TODO
• Built Using
• Authors
• Acknowledgments

🧐 About

Terraform Push is a repository template capable of creating a fully functional GitOps CI for Hashicorp Terraform. With minimal set-up, this CI can deploy Terraform resources to single OR multiple Cloud Providers in a secure and concurrent pipeline. Once in working condition, users can add Terraform configuration files to the desired directories, and it will be applied automatically after pushing or merging them to Master.

Features

• Supported Cloud Providers:
  • Google Cloud
  • Amazon Web Services
  • Microsoft Azure
• Automatic Change Detection
• Terraform Plan on Pull Requests
• Resource Creation on Push-to-Master
• Automatic Resource Destruction

🏁 Pre-Requisites

• Basic understanding of GitHub Actions and Secrets
• Basic knowledge of Hashicorp Terraform
• At least ONE working Cloud Provider account (GCP, Azure, AWS)

🚀 Set-Up

Repository (required)

The first step of this process is to create a GitHub repository using Terraform Push as a template. In the top right corner of this repo, you will find a green button to use this template. Press it and follow the repository creation form.

Bootstrap (optional)

Since our Terraform client will be running on a GitHub-provided container, we need a remote backend to keep track of Terraform state files. Use the Terraform configuration files found inside terraform-push/bootstrap to create a working backend on your desired Cloud Provider. You need an authenticated Cloud Provider account for this to work. If you already have one working backend, skip this step. Terraform Push should be able to store state files in an existing backend.

Secrets (required/optional)

GitHub secrets are a secure way to pass the necessary credentials to authenticate this CI. Only add the secrets required for your preferred Cloud Provider(s). You may also add an SSH private key for SSH authentication. On the newly created repository, go to: Settings > Secrets > Actions. Press New repository secret and add the following secrets:

Common (required)

• PAT_TOKEN Personal Access Token used to log into Pull Requests and comment Terraform Plan output. More information on Creating a Personal Access Token.

• SSH_PRIVATE_KEY SSH private key used to log into private git repositories. Needed to access private Terraform Modules. More information on Connecting to GitHub with SSH.

Google Cloud (optional)

• GCP_SERVICE_ACCOUNT_KEY Google Service Account key generated by Google Cloud. More information on how to Create and Manage Service Account Keys.

Microsoft Azure (optional)

• AZR_DEPLOYMENT_CREDENTIALS Azure deployment credentials generated by Azure CLI. More information on how to Configure a Service Principal with a Secret.

• AZR_CLIENT_SECRET Azure client secret generated by Azure CLI. More information on how to Configure a Service Principal with a Secret.

Amazon Web Services (optional)

• AWS_ACCESS_KEY AWS IAM User key generated by Amazon Web Services. More information on Managing access keys for IAM users.

• AWS_SECRET_KEY AWS IAM User key secret generated by Amazon Web Services. More information on Managing access keys for IAM users.

• AWS_REGION Preferred Amazon Web Services Region.

Machine User (optional)

A GitHub user is necessary to make comments on Pull Requests. These comments will contain the proposed plan generated by Terraform. This can be done using your personal Github Account (not recommended) or it can be done using a Github Machine User. A machine user is no more than a dummy GitHub account that is granted write access on a per-repository basis. Use this account when adding PAT_TOKEN.

🎈 Usage

Add your Terraform configuration files contained inside a directory to any sub-directory inside terraform-push/live-stacks. The name of the sub-directories inside terraform-push/live-stacks does not affect the functioning of this CI. Sub-directories can be added or removed. terraform-push/destroy-bin will destroy Terraform resources. Current sub-directories are there for demonstration purposes.

Example:

├── .github
├── bootstrap
├── destroy-bin
├── off-stacks
├── stacks
|  ├── foo (Group)
|  |  ├── bucket (Terraform Resource)
|  |  |  ├── main.tf
|  |  |  └── config.tf
|  |  └── ...
|  |
|  ├── bar (Group)
|  |  ├── vpc (Terraform Resource)
|  |  |  ├── main.tf
|  |  |  └── config.tf
|  |  └── ...
|  └── ...
└── ...

Per Could Provider

terraform-push/stacks/aws/vpc/main.tf
terraform-push/stacks/gcp/bucket/main.tf
terraform-push/stacks/azure/group/main.tf

Per Team

terraform-push/stacks/team-a/bucket/main.tf
terraform-push/stacks/team-b/bucket/main.tf
terraform-push/stacks/team-c/bucket/main.tf

Per Environment

terraform-push/stacks/dev/vpc/main.tf
terraform-push/stacks/staging/vpc/main.tf
terraform-push/stacks/prod/vpc/main.tf

⛏️ Built Using

• GitOps - Base
• Github Actions - Pipeline
• Bash - Scripting
• Hashicorp Terraform - Base
• Google Cloud - Cloud Provider
• Microsoft Azure - Cloud Provider
• Amazon Web Services - Cloud Provider

✍️ Authors

• @MassimilianoDH - Idea & Initial Work

See also the list of contributors who participated in this project.

🎉 Acknowledgements

• Hat tip to anyone whose code was used