あめがえるのITブログ

頑張りすぎない。ほどほどに頑張るブログ。

【Terraform】HCP Terraform(CLI Driven Workflow)を使ってみた


HCP Terraformとは

チームでTerraformを共同で使用する際に役に立つアプリケーション。
一貫性と信頼性のある環境でTerraformの実行を管理する。
https://app.terraform.ioでホスト型サービスとして利用可能。
2024年4月22日よりTerraform CloudからHCP Terraformに名称変更した。

プラン

無料版と有料版がある。
有料版では、5人以上のユーザーを追加したり、異なるレベルの権限を持つ。チームを作成したり、より効果的に共同作業したりできる。HCP Terraform Plus Editionを使用すると、監査ログ、継続的な検証、自動構成ドリフト検出を行える。高度なセキュリティとコンプライアンスのニーズを持つ組織は、Terraform Enterpriseの購入も可能。

HCP Terraform概念

 ・Organization:組織単位
 ・Project:プロジェクト単位
 ・Workspace:コードを管理する単位

HCP Terraform利用方法

1.下記にアクセスし、アカウント情報を入力

https://app.terraform.io/signup/account


2.「Create account」

利用開始まで

1.Organization作成
1-1.アカウント作成後、「Create organization」

1-2.Organization情報を入力

1-3.「Create organization」


2.Workspace作成
2-1.「Create a workspace」

2-2.「CLI-Driven Workflow」

2-3.下記を入力
 Workspace Name:test-workspace
 Project:Default Project
 Description:<空白>
2-4.「Create」


3.ログイン
3-1.ローカル環境から下記を実行

> terraform login

3-2.下記を実施
 ①:yesを入力

> terraform login
Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:
    C:\Users\amega\AppData\Roaming\terraform.d\credentials.tfrc.json

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes ・・・①

 ②:ブラウザが起動しHCP Terraformにログイン

 ③:「Generate token」

 ④:そこの表示されたトークンをコピー(ノートアイコンでコピー可)

 ⑤:CLIに戻り、トークンを貼り付け

> terraform login
Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:
    C:\Users\xxxxxx\AppData\Roaming\terraform.d\credentials.tfrc.json

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes ・・・①


---------------------------------------------------------------------------------      

Terraform must now open a web browser to the tokens page for app.terraform.io.

If a browser does not open this automatically, open the following URL to proceed:      
    https://app.terraform.io/app/settings/tokens?source=terraform-login


---------------------------------------------------------------------------------      

Generate a token using your browser, and copy-paste it into this prompt.

Terraform will store the token in plain text in the following file
for use by subsequent commands:
    C:\Users\amega\AppData\Roaming\terraform.d\credentials.tfrc.json

Token for app.terraform.io:
  Enter a value: ・・・⑤


Retrieved token for user xxxxxx


---------------------------------------------------------------------------------      

                                          -
                                          ---------                      --
                                          ---------  -                -----
                                           ---------  ------        -------
                                             -------  ---------  ----------
                                                ----  ---------- ----------
                                                  --  ---------- ----------
   Welcome to HCP Terraform!                       -  ---------- -------
                                                      ---  ----- ---
   Documentation: terraform.io/docs/cloud             --------   -
                                                      ----------
                                                      ----------
                                                       ---------
                                                           -----
                                                               -


   New to HCP Terraform? Follow these steps to instantly apply an example configuration:

   $ git clone https://github.com/hashicorp/tfc-getting-started.git
   $ cd tfc-getting-started
   $ scripts/setup.sh

エラーがでたら正しくトークンをコピぺできていないと思われるのでterraform loginからやり直し。

Token for app.terraform.io:
  Enter a value:

╷
│ Error: Token is invalid: unauthorized


4.ファイル作成
4-1.下記を作成
workspaces.tf

terraform { 
  cloud { 
    
    organization = "xxxxxx" 

    workspaces { 
      name = "test-workspace" 
    } 
  } 
}

provider.tf
aws-vaultはうまく動かなかったので直接アクセスキーを記載してます。。

provider "aws" {
  region     = "ap-northeast-1" 
  access_key = "xxxxxxxxxxx"
  secret_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

main.tf

resource "aws_vpc" "vpc01" {
  cidr_block           = var.vpc_network["ser01"]
  enable_dns_hostnames = true

  tags = {
    Name = "${var.env["env"]}vpc01"
  }
}

variables.tf

variable "env" {
  type = map(any)
  default = {
    env = "test"
  }
}

variable "vpc_network" {
  type = map(any)

  default = {
    ser01 = "10.2.160.0/21"
  }
}


5.実行
5-1.初期化実施

> terraform init
> terraform init                                   

Initializing Terraform Cloud...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v5.81.0...
- Installed hashicorp/aws v5.81.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform Cloud has been successfully initialized!

You may now begin working with Terraform Cloud. Try running "terraform plan" to
see any changes that are required for your infrastructure.

If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.

5-2.HCP Terraformワークフロー実行

> terraform plan
> terraform apply
> terraform apply
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/xxxxx/test-workspace/runs/run-jtTJSiKXQEMedYdp

Waiting for the plan to start...

Terraform v1.10.1
on linux_amd64
Initializing plugins and modules...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated 
with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_vpc.vpc01 will be created
  + resource "aws_vpc" "vpc01" {
      + arn                                  = (known after apply)
      + cidr_block                           = "10.2.160.0/21"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name" = "testvpc01"
        }
      + tags_all                             = {
          + "Name" = "testvpc01"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "test-workspace"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc.vpc01: Creating...
aws_vpc.vpc01: Still creating... [10s elapsed]
aws_vpc.vpc01: Creation complete after 14s [id=vpc-06c516887c5bc2f87]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

5-3.HCP Terraform確認
ワークスペースから実行結果を確認

5-4.削除

> terraform destroy
> terraform destroy
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/xxxxx/test-workspace/runs/run-GowJwkDtuAPrrgez

Waiting for the plan to start...

Terraform v1.10.1
on linux_amd64
Initializing plugins and modules...
aws_vpc.vpc01: Refreshing state... [id=vpc-06c516887c5bc2f87]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated 
with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_vpc.vpc01 will be destroyed
  - resource "aws_vpc" "vpc01" {
      - arn                                  = "arn:aws:ec2:ap-northeast-1:xxxxxxxxxxxx:vpc/vpc-06c516887c5bc2f87" -> null
      - assign_generated_ipv6_cidr_block     = false -> null
      - cidr_block                           = "10.2.160.0/21" -> null
      - default_network_acl_id               = "acl-0c445c193a8df6cc0" -> null
      - default_route_table_id               = "rtb-079fd13083879b415" -> null
      - default_security_group_id            = "sg-01dc5d25cee982c60" -> null
      - dhcp_options_id                      = "dopt-88aca5ec" -> null
      - enable_dns_hostnames                 = true -> null
      - enable_dns_support                   = true -> null
      - enable_network_address_usage_metrics = false -> null
      - id                                   = "vpc-06c516887c5bc2f87" -> null
      - instance_tenancy                     = "default" -> null
      - ipv6_netmask_length                  = 0 -> null
      - main_route_table_id                  = "rtb-079fd13083879b415" -> null
      - owner_id                             = "xxxxxxxxxxxx" -> null
      - tags                                 = {
          - "Name" = "testvpc01"
        } -> null
      - tags_all                             = {
          - "Name" = "testvpc01"
        } -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources in workspace "test-workspace"?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_vpc.vpc01: Destroying... [id=vpc-06c516887c5bc2f87]
aws_vpc.vpc01: Destruction complete after 2s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.



感想

意外とめんどうだった。これ使うメリットがまだわからなかったのでもう少し調べてみる