Repeatability and Security with Terraform Modules 💡

2024-11-16
Geoff

Terraform Modules 🪐

I find myself writing terraform modules on the regular 📆. Sometimes I copy a recent module and start chopping it up to get a good starting point 😱, but it's a waist of time really. I created a template GitHub repo that can now serve as a starting point for all my modules 🚀.

Repeatability 🔄

The template repo is on GitHub here GSP-Corp/tf-aws-module-template. It includes a decent readme.md, a GitHub Action to init, validate, and plan the module on each PR.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
(.venv) (base) ➜  gspc-site git:(tf-modules) ✗ tree -a ~/code/gspc/tf-aws-module-template -I .git
/Users/gspcorp/code/gspc/tf-aws-module-template
├── .github
│   └── workflows
│       └── tf-plan.yml
├── .gitignore
├── .terraform.lock.hcl
├── outputs.tf
├── readme.md
├── variables.tf
└── versions.tf

This gives me the warm and fuzzies 🧸.

Configuration 🛠

The GitHub Action needs an ssh key PRIVATE_SSH_KEY, and an AWS role ROLE_ARN in order to do it's bidding. So, make sure you create those at your org or repo level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: terraform/plan

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

jobs:
  plan:
    name: Terraform Plan
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}

      - name: Configure AWS credentials
        id: aws_credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: {ROLE_ARN}
          aws-region: us-east-1

      - name: Terraform init
        id: terraform_init
        working-directory: .
        run: terraform init

      - name: Terraform validate
        id: terraform_validate
        working-directory: .
        run: terraform validate

      - name: Terraform plan
        id: terraform_plan
        working-directory: .
        run: terraform plan
        env:
          GIT_SSH_COMMAND: "echo '${{ secrets.{PRIVATE_SSH_KEY} }}' > id_rsa
            && ssh-keyscan github.com > known_hosts
            && chmod 600 id_rsa known_hosts
            && ssh -i ./id_rsa -o UserKnownHostsFile=./known_hosts"

Conclusion 👌🏾

Now we can create new terraform module repos quickly from this base case. The config is inherited from the org level and the module is ready for development. This is a great way to ensure repeatability and security in your terraform modules.

📨 Contact GSPC ✉️

ITIL 4 Foundation Certified AWS Certified Cloud Practitioner Certified Terraform Associate AWS Serverless AWS Certified Developer Associate GitHub Foundations Certification GitHub Actions Certification Certified SysOps Administrator Certified AWS Security Specialist Certified AWS DevOps Engineer Professional GCP: Cloud Digital Leader Certification Badge Solutions Architect Associate Solutions Architect Professional Certified AWS AI Practitioner