はてなブックマーク

When we introduce module blocks, our configuration becomes hierarchical rather than flat: each module contains its own set of resources, and possibly its own child modules, which can potentially create a deep, complex tree of resource configurations. However, in most cases we strongly recommend keeping the module tree flat, with only one level of child modules, and use a technique similar to the a

Note: Explicit refactoring declarations with moved blocks is available in Terraform v1.1 and later. For earlier Terraform versions or for refactoring actions too complex to express as moved blocks, you can use the terraform state mv CLI command as a separate step. In shared modules and long-lived configurations, you may eventually outgrow your initial module structure and resource names. For examp

AWS AssumeRole allows you to grant temporary credentials with additional privileges to users as needed, following the principle of least privilege. To configure AssumeRole access, you must define an IAM role that specifies the privileges that it grants and which entities can assume it. AssumeRole can grant access within or across AWS accounts. If you are administering multiple AWS accounts, you ca

Cloud Development Kit for Terraform (CDKTF) allows you to use familiar programming languages to define and provision infrastructure. This gives you access to the entire Terraform ecosystem without learning HashiCorp Configuration Language (HCL) and lets you leverage the power of your existing toolchain for testing, dependency management, etc. We support TypeScript, Python, Java, C#, and Go. How do

Terraform modules are self-contained pieces of infrastructure-as-code that abstract the underlying complexity of infrastructure deployments. They speed adoption and lower the barrier of entry for Terraform end users who consume pre-built configuration. As a result, they should use coding best practices such as clear organization and the DRY ("Don't Repeat Yourself") principle wherever possible. Th

The Cloud Development Kit for Terraform (CDKTF) generates JSON Terraform configuration from code in C#, Python, TypeScript, Java, or Go, and creates infrastructure using Terraform. With CDKTF, you can use hundreds of providers and thousands of module definitions provided by HashiCorp and the Terraform community. By using your programming language of choice, you can take advantage of the features a

GitHub Actions add continuous integration to GitHub repositories to automate your software builds, tests, and deployments. Automating Terraform with CI/CD enforces configuration best practices, promotes collaboration, and automates the Terraform workflow. HashiCorp provides GitHub Actions that integrate with the HCP Terraform API. These actions let you create your own custom CI/CD workflows to mee

Validated PatternsField-tested patterns for using HashiCorp products

Terraform providers manage resources by communicating between Terraform and target APIs. Whenever the target APIs change or add functionality, provider maintainers may update and version the provider. When multiple users or automation tools run the same Terraform configuration, they should all use the same versions of their required providers. There are two ways for you to manage provider versions

Validated PatternsField-tested patterns for using HashiCorp products

Serverless computing is a cloud computing model in which a cloud provider allocates compute resources on demand. This contrasts with traditional cloud computing where the user is responsible for directly managing virtual servers. Most serverless applications use Functions as a Service (FaaS) to provide application logic, along with specialized services for additional capabilities such as routing H

Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries. If you can securely get the first secret from an originator to a consumer, all subsequent secrets transmitted between this originator and consumer can be authenticated with the trust established by the successful distribution and user of tha

Terraform Plugin SDKv2 is a way to maintain Terraform Plugins on protocol version 5. We recommend using the framework to develop new provider functionality because it offers significant advantages as compared to the SDKv2. We also recommend migrating existing providers to the framework when possible. Refer to Plugin Framework Benefits for higher level details about how the framework makes provider

AWS's Elastic Kubernetes Service (EKS) is a managed service that lets you deploy, manage, and scale containerized applications on Kubernetes. In this tutorial, you will deploy an EKS cluster using Terraform. Then, you will configure kubectl using Terraform output and verify that your cluster is ready to use. Why deploy with Terraform?While you could use the built-in AWS provisioning processes (UI,

Validated PatternsField-tested patterns for using HashiCorp products

Each HCP Terraform workspace is associated with a particular Terraform configuration, which is expected to change and evolve over time. Since every organization has its own preferred source code control practices, HCP Terraform does not provide integrated version management. Instead, it expects Terraform configurations to be managed in your existing version control system (VCS). In order to perfor

Terraform v0.12 is a major release focused on configuration language improvements and thus includes some changes that you'll need to consider when upgrading. The goal of this guide is to cover the most common upgrade concerns and issues. For most users, upgrading configuration should be completely automatic. Some simple configurations will require no changes at all, and most other configurations c

This guide describes recommended best practices for infrastructure architects and operators to follow when deploying Vault using the Integrated Storage (Raft) storage backend in a production environment. This guide includes general guidance as well as specific recommendations for popular cloud infrastructure platforms. These recommendations have also been encoded into official Terraform modules fo

Note This engine can use external X.509 certificates as part of TLS or signature validation. Verifying signatures against X.509 certificates that use SHA-1 is deprecated and is no longer usable without a workaround starting in Vault 1.12. Refer to the deprecation notices for more information. The PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get ce

This guide is meant for enterprise users looking to advance their Terraform usage from a few individuals to a full organization. For Terraform code style recommended practices, refer to the Terraform style guide. IntroductionHashiCorp specializes in helping IT organizations adopt cloud technologies. Based on what we've seen work well, we believe the best approach to provisioning is collaborative i

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment. Many existing policy or ACL systems do not practice policy as code. Many policies are set by clicking in a GUI, which isn't

Each Terraform configuration has an associated backend that defines how Terraform executes operations and where Terraform stores persistent data, like state. The persistent data stored in the backend belongs to a workspace. The backend initially has only one workspace containing one Terraform state associated with that configuration. Some backends support multiple named workspaces, allowing multip

Tip Before following the recommendations in this guide to build your own infrastructure pipelines from scratch, consider whether HCP Terraform's built in version control integration, run triggers, and other features meet your needs while automatically implementing best practices. For teams that use Terraform as a key part of a change management and deployment pipeline, it can be desirable to orche