Code which manages configuration and life-cycle of all the Terraform Cloud foundation. It is designed to be used from a dedicated VCS-Driven Terraform Cloud workspace that would provision and manage the configuration using Terraform code (IaC). It uses Hashicorp Vault Secrets to manage secrets.
To manage the resources from that code, provide a token from an account with
owner permissions. Alternatively, you can use a token from the owner team
instead of a user token.
To manage secrets in Hashicorp Vault Secrets, provide a client ID and a key
from a service principals with the secret contributor role.
To manage the GitHub resources, provide a token from an account or a GitHub App with appropriate permissions. It should have:
- Read access to
metadata - Read and write access to
administration,code,members, andsecrets
The Terraform Cloud provider requires a Terraform Cloud/Enterprise API token in order to manage resources.
- Set the
TFE_TOKENenvironment variable: The provider can read the TFE_TOKEN environment variable and the token stored there to authenticate. Refer to Managing Variables documentation for more details.
The Hashicorp Vault Secrets provider requires a service principal client ID and a key in order to manage resources.
-
Set the
HCP_CLIENT_IDenvironment variable: The provider can read the HCP_CLIENT_ID environment variable and the client ID stored there to authenticate. Refer to Managing Variables documentation for more details. -
Set the
HCP_CLIENT_SECRETenvironment variable: The provider can read the HCP_CLIENT_SECRET environment variable and the client ID stored there to authenticate. Refer to Managing Variables documentation for more details.
The GitHub provider requires a GitHub App installation in order to manage resources.
- Set the
GITHUB_APP_ID,GITHUB_APP_INSTALLATION_ID,GITHUB_APP_PEM_FILE, andGITHUB_OWNERenvironment variables. The provider can read the GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PEM_FILE, and GITHUB_OWNER environment variables to authenticate.
Because strings with new lines is not support:
use "\\n" within thepem_fileargument to replace new line
use "\n" within theGITHUB_APP_PEM_FILEenvironment variables to replace new line
- Manages configuration and life-cycle of Terraform Cloud resources:
- projects
- workspaces
- teams
- variable sets
- variables
- notifications
- run tasks
- Manages configuration and life-cycle of GitHub resources:
- repositories
- branches protection
- repositories secrets
- teams
- Manages configuration and life-cycle of Hashicorp Vault Secrets
- app
- secrets
In order to deploy the configuration from this code, you must first create an organization. You must then manually create a dedicated VCS-driven Terraform Cloud workspace in the UI.
In order to read secrets from Hashicorp Vault Secrets, you must first create
an organization in Hashicorp Cloud. You must manually create a project, an
application, the secrets, a service principale with read permission
and create a key in the UI.
To authenticate into Terraform Cloud during configuration deployment, an
API token must be created. This token must come from an account with owner
permission or the owner team. An environment variable TFE_TOKEN must be
created in the previously created workspace with the value of the generated token.
To authenticate into Hashicorp Vault Secrets during deployment, a service
principal with a key must be created. HCP_CLIENT_ID and HCP_CLIENT_SECRET
environment variables must be create in the previously created workspace with
the value of the generated key.
To authenticate into GitHub during deployment, a GitHub App with the required
permission must be created. GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID,
GITHUB_APP_PEM_FILE, and GITHUB_OWNER environment variables must be create
in the previously created workspace with the value of the generated key.
The following requirements are needed by this module:
The following Modules are called:
Source: ./modules/git_repository
Version:
Source: ./modules/git_team
Version:
Source: ./modules/tfe_agent
Version:
Source: ./modules/tfe_notification
Version:
Source: ./modules/tfe_team
Version:
Source: ./modules/tfe_workspace
Version:
No required inputs.
No optional inputs.
The following resources are used by this module:
- github_actions_secret.this (resource)
- hcp_vault_secrets_app.this (resource)
- hcp_vault_secrets_secret.this (resource)
- tfe_project.project (resource)
- tfe_project_variable_set.this (resource)
- tfe_variable.variable_set (resource)
- tfe_variable.workspace (resource)
- tfe_variable_set.this (resource)
- tfe_workspace_variable_set.this (resource)
- hcp_vault_secrets_secret.this (data source)
- tfe_oauth_client.client (data source)
- tfe_organization.this (data source)
- tfe_organization_membership.this (data source)
- tfe_organization_run_task.this (data source)
- tfe_workspace.this (data source)
The following outputs are exported:
Description: The token of the team with manage-modules access.
Description: The id of the GitHub team who can contribute to the private modules registry.
Description: The id of the GitHub team who owns the private modules registry.