Repeatability and Security with Terraform Modules 💡

2024-11-16
Geoff

Terraform Modules 🪐

I find myself writing terraform modules on the regular 📆. Sometimes I copy a recent module and start chopping it up to get a good starting point 😱, but it's a waist of time really. I created a template GitHub repo that can now serve as a starting point for all my modules 🚀.

Repeatability 🔄

The template repo is on GitHub here GSP-Corp/tf-aws-module-template. It includes a decent readme.md, a GitHub Action to init, validate, and plan the module on each PR.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
(.venv) (base) ➜  gspc-site git:(tf-modules) ✗ tree -a ~/code/gspc/tf-aws-module-template -I .git
/Users/gspcorp/code/gspc/tf-aws-module-template
├── .github
│   └── workflows
│       └── tf-plan.yml
├── .gitignore
├── .terraform.lock.hcl
├── outputs.tf
├── readme.md
├── variables.tf
└── versions.tf

This gives me the warm and fuzzies 🧸.

Configuration 🛠

The GitHub Action needs an ssh key PRIVATE_SSH_KEY, and an AWS role ROLE_ARN in order to do it's bidding. So, make sure you create those at your org or repo level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: terraform/plan

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

jobs:
  plan:
    name: Terraform Plan
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}

      - name: Configure AWS credentials
        id: aws_credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: {ROLE_ARN}
          aws-region: us-east-1

      - name: Terraform init
        id: terraform_init
        working-directory: .
        run: terraform init

      - name: Terraform validate
        id: terraform_validate
        working-directory: .
        run: terraform validate

      - name: Terraform plan
        id: terraform_plan
        working-directory: .
        run: terraform plan
        env:
          GIT_SSH_COMMAND: "echo '${{ secrets.{PRIVATE_SSH_KEY} }}' > id_rsa
            && ssh-keyscan github.com > known_hosts
            && chmod 600 id_rsa known_hosts
            && ssh -i ./id_rsa -o UserKnownHostsFile=./known_hosts"

Conclusion 👌🏾

Now we can create new terraform module repos quickly from this base case. The config is inherited from the org level and the module is ready for development. This is a great way to ensure repeatability and security in your terraform modules.

📨 Contact GSPC ✉️

AWS Certified Certified Terraform Associate AWS Serverless AWS Certified Developer Associate GitHub Foundations Certification GitHub Actions Certification Certified SysOps Administrator Certified AWS Security Specialist Certified AWS DevOps Engineer Professional GCP: Cloud Digital Leader Certification Badge