Apply for invite to IaCP

Guide : CLI driven runs with IaCP

Scalr is a remote backend for Terraform runs initiated via the Terraform CLI. This provides the following benefits.

  • Centralized state storage and resource visibility

  • Secure provider credentials

  • Centralized and automated deployment policy implementation

  • Cost estimation

Important

This page explains how to set up a Scalr workspace as a remote backend for CLI runs.

Concepts

Term

Description

Account scope

Organisation layer in Scalr. Used to administer environments, policy, provider credentials and access controls

Environment scope

Working environments for teams and users. Multiple per account. Workspaces for running Terraform live at this scope

Provider credentials

Credentials for clouds and other providers set up at account scope and automatically added to workspaces as environment variables

Workspaces

Run time environment and stage storage for Terraform. Includes Terraform and Environment variables

How it Works

  1. API Token generated and added to your terraform environment

  2. Template configured with remote backend details

  3. terraform init creates workspace in IaCP

  4. Variables are set in the workspace

  5. CLI runs

==>> Most of this tutorial is done at environment scope (blue), but watch out for the bits that are done at account scope (green).

You can switch between Account and Environment scope using environment switcher in the top right corner.

../_images/navigate_environment.png

If you need to create an environment, goto account scope -> Environments -> New Environment. Select IaCP and save.

Note

It is not necessary to pre-create a workspace in Scalr, the workspace will be created the first time terraform init is run when a remote backend is configured in the template. However you WILL need to create Terraform variables and assign values in the workspace before performing a run.

Setup Overview

../_images/cli_flow.png

We will use an example of an AWS instance to show you how to set up and test automation using the following steps

  1. API Token - Generate token and add to Terrafrom config

  2. Provider Credentials - To enable providers to connect

  3. Configure Template - Add remote backed to Terraform template

  4. Initialize Workspace - Create workspace in IaCP

  5. Set Variables - Set values for any input variables in the template

  6. CLI Runs - Invoke run from CLI


API Token

../_images/cli_flow_1.png
  1. Create API Token

    ../_images/api_token.png
  2. Add a credentials to your CLI Configuration file.

    OS

    File name and location

    Windows

    file must be named named terraform.rc and placed in the relevant user’s %APPDATA% directory. The physical location of this directory depends on your Windows version and system configuration; use $env:APPDATA in PowerShell to find its location on your system.

    All other

    ~/.terraformrc

credentials "my.scalr.com" {
  token = "<user-token>"
}

Provider Credentials

../_images/cli_flow_2.png

All providers in the template need credentials to authenticate with. For cloud providers these are typically access keys. All providers allow the credentials to be supplied via environment variables. IaCP allows you to set up credentials for cloud providers so that the necessary environment variables will automatically be set up in the workspace.

Setting up cloud credentials in is a three step process and is done at the account scope (green).

  1. Set up necessary authentication in the cloud provider (varies from cloud to cloud).

    • In the EC2 console navigate to IAM -> Users -> Select a user -> Security Credentials -> Create Access Key

    • Save the access key and secret key

  1. Create Cloud Credentials in Scalr.

    • In Scalr at account scope navigate to cloud credentials -> add credentials. Select AWS, enter a name and the two keys and save.

      ../_images/AWS-Keys.png ../_images/AWS-Keys-Scalr.png
  1. Link Cloud Credentials to the environment.

    • Navigate to environments

    • Select the required environment and click on the clouds tab.

    • Click the link symbol on the right side for the cloud you want to link.

    • Select the credentials and save.

../_images/link_creds.png

Configure Template

../_images/cli_flow_3.png

Add backend configuration to your Terraform template.

  1. Get the organization id from the environment switcher on the UI

    ../_images/org_id.png
  2. Add a terraform block to your template. The hostname will be your local installation if IaCP is deployed on-prem. You can choose the workspace name at this point.

terraform {
  backend "remote" {
    hostname = "my.scalr.com"
    organization = "<organization-name of environment>"
    workspaces {
      name = "<workspace-name>"
    }
  }
}

Initialize Workspace

../_images/cli_flow_4.png
  1. Initialize the local workspace by running terraform init

$ terraform init

Initializing the backend...

Initializing provider plugins...
  1. View the workspace in the UI

    ../_images/cli_ws_1.png

Set Variables

../_images/cli_flow_5.png

Any input variables that don’t have defaults and are not assigned values in terraform.tfvars[.json] must be given values in Scalr.

Note

Currently you need to create the variables and set values. In a later release of Scalr the variables will be created in the workspace automatically, but the values will still need to be set.

../_images/tf_vars.png

Navigate to the variables tab on the workspace screen and use New -> New Terraform Variable.

../_images/new_tf_var.png

CLI Runs

../_images/cli_flow_6.png

Initiate a run from the CLI with either terraform plan or terraform apply

CLI Runs can be viewed from the local terminal and from the workspace in the Scalr UI. They can also be approved in either the local terminal or in the UI.

You will see the usual plan and apply phases, but also the IaCP additions of cost estimation and policy checks. The policy checks wont do anything until you have linked policies to your environment.

../_images/approve_cli.png
../_images/approve_ui_1.png
../_images/approve_ui_2.png