Terraform Cloud
Sourcegraph uses Terraform Cloud to manage the deployment of cloud infrastructure on multiple platforms.
Making and applying a change to our infrastructure
In the majority of cases, Terraform Cloud should be transparent to developers: the main change to
our default workflow is that for resources managed by Terraform Cloud, you will no longer be
able to run terraform apply
locally on your laptop. Instead:
- Open a pull request on a branch with your intended changes
- Terraform Cloud should run a
terraform plan
action and post the results as a GitHub status check. You can also still runterraform plan
locally as before (although the plan will now occur in the cloud). - When approved, merge your changes in.
Terraform Cloud should apply your changes on merge.
Administration
Details of our Terraform Cloud account, sales contacts, and other administrative information can be found here.
Logging into Terraform Cloud
All of Engineering has access to view and plan changes to specific shared workspaces in Terraform Cloud. The workspaces in question can be seen here.
The Cloud, DevEx, and Security teams have workspace write access to the workspaces relevant to their work.
If you believe that you need more access to a Terraform Cloud workspace than you currently have, post in #security with the access that you need and someone from the team will assist you.
To access Terraform Cloud go to your Okta dashboard and click on the Terraform Cloud tile.
If it’s your first login, you might be asked to create a Terraform Cloud account. This is normal – similar to GitHub, a Terraform Cloud account is separate to access to the organization. Our SSO setup only grants access to the Sourcegraph Terraform Cloud organization. Create an account and proceed as normal.
Creating a new Terraform Cloud workspace
- Create a new module for your workspace following the example here.
- Place the module in the most appropriate file in the
infrastructure/terraform-cloud
folder, or create a new file for the module if none of the existing files are sufficient. - The
team_access
values can be found here. trigger_patterns
andworking_directory
should refer to the folder of Terraform configuration you are creating the workspace for- The workspace
name
should be unique – ideally, use the location of the folder within theinfrastructure
repo, with the/
s replaced by-
- Place the module in the most appropriate file in the
- Request a Terraform Cloud admin to apply the changes in either #cloud or #security.
Migrating to Terraform Cloud
To move a folder of Terraform configuration that currently uses the GCS backend:
- Create a workspace for the folder in the most appropriate file here,
with
auto_apply
set tofalse
. This prevents Terraform Cloud from applying any changes before the state has been migrated. See here for an example of such a change. Team permissions are defined here. - Request a Terraform Cloud admin to apply the changes in either #cloud or #security once they are landed.
- Within the folder that you are looking to migrate, follow the instructions found here.
- Once the migration is completed, run a
terraform plan
in the migrated folder to ensure that there are no unexpected planned changes.
Migrating to a Terraform Cloud workspace is easy, but migrating back is slightly more convoluted, so only migrate if you’re certain that you are ready to manage the resources in question with Terraform Cloud.
Slack integration
Terraform Cloud provides a Slack integration, which is also useful to stay notified of changes that you or your team care about. You can set up the Slack integration (or other notification methods) in the Notifications section of the relevant workspace’s settings.
OPA policy enforcement
We use Terraform Cloud to scan our IaC. We currently scan Cloud v2-related code through TF Cloud. This is done through OPA policies in the cloud-opa-policy
Policy Set. Every Cloud v2 is automatically added to the Policy Set. The code containing the OPA policies in Rego can be found here.
Terraform Cloud state backup
Terraform Cloud workspaces contain all versions of a folder’s state – if you delete a workspace, you also delete all of the previously stored state. Hashicorp doesn’t store a backup of workspace or state data.
In order to have some way of backing up state outside Terraform Cloud in case workspaces are accidentally destroyed, we have a tool that backs up our Terraform Cloud state into GCS on the completion of runs in Terraform Cloud. You can read more about it here.
Troubleshooting and FAQs
Apply not allowed
If you receive the error ‘Error: Apply not allowed for workspaces with a VCS connection’, this is
because you are attempting to run terraform apply
in a folder managed by Terraform Cloud. In order
to apply your changes, follow the instructions for making and applying a change to our infrastructure.
Is this folder managed by Terraform Cloud?
If you’re not sure whether the folder of Terraform configuration that you’re changing has been onboarded
onto Terraform Cloud or not, look for the terraform { ... }
block that defines the providers and
backends for the folder.
Folders that have been onboarded to Terraform Cloud will have a cloud { ... }
block within the
terraform { ... }
block, and those that haven’t been onboarded will have a backend "gcs" { ... }
block. For the latter, you will need to follow the legacy workflow and apply your changes manually
using terraform apply
from your laptop.