

【Terraform】HCP Terraform(CLI Driven Workflow)を使ってみた

HCP Terraformとは

2024年4月22日よりTerraform CloudからHCP Terraformに名称変更した。


有料版では、5人以上のユーザーを追加したり、異なるレベルの権限を持つ。チームを作成したり、より効果的に共同作業したりできる。HCP Terraform Plus Editionを使用すると、監査ログ、継続的な検証、自動構成ドリフト検出を行える。高度なセキュリティとコンプライアンスのニーズを持つ組織は、Terraform Enterpriseの購入も可能。

HCP Terraform概念


HCP Terraform利用方法



2.「Create account」


1-1.アカウント作成後、「Create organization」


1-3.「Create organization」

2-1.「Create a workspace」

2-2.「CLI-Driven Workflow」

 Workspace Name:test-workspace
 Project:Default Project


> terraform login


Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes ・・・①

 ②:ブラウザが起動しHCP Terraformにログイン

 ③:「Generate token」



Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes ・・・①


Terraform must now open a web browser to the tokens page for app.terraform.io.

If a browser does not open this automatically, open the following URL to proceed:      


Generate a token using your browser, and copy-paste it into this prompt.

Terraform will store the token in plain text in the following file
for use by subsequent commands:

Token for app.terraform.io:
  Enter a value: ・・・⑤

Retrieved token for user xxxxxx


                                          ---------                      --
                                          ---------  -                -----
                                           ---------  ------        -------
                                             -------  ---------  ----------
                                                ----  ---------- ----------
                                                  --  ---------- ----------
   Welcome to HCP Terraform!                       -  ---------- -------
                                                      ---  ----- ---
   Documentation: terraform.io/docs/cloud             --------   -

   New to HCP Terraform? Follow these steps to instantly apply an example configuration:

   $ git clone https://github.com/hashicorp/tfc-getting-started.git
   $ cd tfc-getting-started
   $ scripts/setup.sh

エラーがでたら正しくトークンをコピぺできていないと思われるのでterraform loginからやり直し。

  Enter a value:

│ Error: Token is invalid: unauthorized


terraform { 
  cloud { 
    organization = "xxxxxx" 

    workspaces { 
      name = "test-workspace" 


provider "aws" {
  region     = "ap-northeast-1" 
  access_key = "xxxxxxxxxxx"
  secret_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


resource "aws_vpc" "vpc01" {
  cidr_block           = var.vpc_network["ser01"]
  enable_dns_hostnames = true

  tags = {
    Name = "${var.env["env"]}vpc01"


variable "env" {
  type = map(any)
  default = {
    env = "test"

variable "vpc_network" {
  type = map(any)

  default = {
    ser01 = ""


> terraform init
Initializing Terraform Cloud...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v5.81.0...
- Installed hashicorp/aws v5.81.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform Cloud has been successfully initialized!

You may now begin working with Terraform Cloud. Try running "terraform plan" to
see any changes that are required for your infrastructure.

If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.

5-2.HCP Terraformワークフロー実行

> terraform plan
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:

Waiting for the plan to start...

Terraform v1.10.1
on linux_amd64
Initializing plugins and modules...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated 
with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_vpc.vpc01 will be created
  + resource "aws_vpc" "vpc01" {
      + arn                                  = (known after apply)
      + cidr_block                           = ""
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name" = "testvpc01"
      + tags_all                             = {
          + "Name" = "testvpc01"

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "test-workspace"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc.vpc01: Creating...
aws_vpc.vpc01: Still creating... [10s elapsed]
aws_vpc.vpc01: Creation complete after 14s [id=vpc-06c516887c5bc2f87]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

5-3.HCP Terraform確認


> terraform destroy
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:

Waiting for the plan to start...

Terraform v1.10.1
on linux_amd64
Initializing plugins and modules...
aws_vpc.vpc01: Refreshing state... [id=vpc-06c516887c5bc2f87]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated 
with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_vpc.vpc01 will be destroyed
  - resource "aws_vpc" "vpc01" {
      - arn                                  = "arn:aws:ec2:ap-northeast-1:xxxxxxxxxxxx:vpc/vpc-06c516887c5bc2f87" -> null
      - assign_generated_ipv6_cidr_block     = false -> null
      - cidr_block                           = "" -> null
      - default_network_acl_id               = "acl-0c445c193a8df6cc0" -> null
      - default_route_table_id               = "rtb-079fd13083879b415" -> null
      - default_security_group_id            = "sg-01dc5d25cee982c60" -> null
      - dhcp_options_id                      = "dopt-88aca5ec" -> null
      - enable_dns_hostnames                 = true -> null
      - enable_dns_support                   = true -> null
      - enable_network_address_usage_metrics = false -> null
      - id                                   = "vpc-06c516887c5bc2f87" -> null
      - instance_tenancy                     = "default" -> null
      - ipv6_netmask_length                  = 0 -> null
      - main_route_table_id                  = "rtb-079fd13083879b415" -> null
      - owner_id                             = "xxxxxxxxxxxx" -> null
      - tags                                 = {
          - "Name" = "testvpc01"
        } -> null
      - tags_all                             = {
          - "Name" = "testvpc01"
        } -> null

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources in workspace "test-workspace"?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_vpc.vpc01: Destroying... [id=vpc-06c516887c5bc2f87]
aws_vpc.vpc01: Destruction complete after 2s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

