Terraform: migrate local projects to Terraform Cloud for execution

Posted by mr. big on Fri, 26 Nov 2021 07:08:31 +0100

Last article We tried to use terraform to create and manage AWS Lightsail resources in the local environment. For managing some cloud resources, we need to install the corresponding cli tools locally and configure the credentials for accessing the corresponding cloud resources (such as AWS CLI, AccessKeyID, etc.). Terraform manages the status of cloud resources by calling the local CLI tools or cloud API s, By default, the local type Backend is used, and the resource status file (. tfstate) is also saved in the local file directory.
In this article, we will try to use remote type Backend to migrate the project to Terraform Cloud To execute, and the resource state is managed by the terrain cloud.

What is terrain cloud

Terraform Cloud is a SaaS application that manages the operation of terraform in a consistent and reliable environment, so that it can replace the execution of terraform projects on the local machine, store shared status and confidential data, and connect to the version control system (such as Git), so that we can work with the infrastructure as code in the team.
Terraform is a commercial application. Teams and businesses will charge fees and provide more advanced functions. However, individual users can use the basic functions for free. For details of fees and functions, please refer to( https://www.hashicorp.com/pro...).

First, we need to register an account for Terraform Cloud to access https://app.terraform.io/sign... , follow the prompts to register a free account

After registration, log in to the terrain cloud for the first time, and it will ask how to start a project. Here, we choose Start from scratch, that is, we will start from an empty template

Next, we need to create an Organization. For example, here I create an Organization called learn terrain. An Organization is similar to giving a namespace. It can manage multiple workspaces, as well as variables and environment variables shared by workspaces under it.

Next, we need to log in to the terrain cloud in the local environment and add the corresponding configuration to reinitialize the project.

Re initial project

After completing the account registration of terrain cloud, we need to run terrain login on the local terminal, open the browser to log in to the account, get a Token value, copy it and fill it in the terminal to complete the login

> terrafrom login
Terraform must now open a web browser to the tokens page for app.terraform.io.

If a browser does not open this automatically, open the following URL to proceed:


Generate a token using your browser, and copy-paste it into this prompt.

Terraform will store the token in plain text in the following file
for use by subsequent commands:

Token for app.terraform.io:
  Enter a value:

Then we modify the project configuration file main.tf and add backend "remote"

terraform {
  backend "remtoe" {
    organization = "learn-terraform"
    workspaces {
      name = "mylightsail"


Execute terraform init. Terraform will download the remote plug-in, connect to the learn terraform / mylightsail workspace of Terraform Cloud, and migrate the local state file to the cloud

$ terraform init

Initializing the backend...Do you want to copy existing state to the new backend?  Pre-existing state was found while migrating the previous "local" backend to the  newly configured "remote" backend. No existing state was found in the newly  configured "remote" backend. Do you want to copy this state to the new "remote"  backend? Enter "yes" to copy and "no" to start with an empty state.
  Enter a value: yes
Releasing state lock. This may take a few moments...
Successfully configured the backend "remote"! Terraform will automaticallyuse this backend unless the backend configuration changes....

The browser accesses the terrain cloud webui and enters the corresponding workspace to view the status information.

After completion, you can delete the local. Terrain / terrain.tfstate file. The local project has the terrain Cloud as the remote backend and is associated with the command line (CLI) Therefore, you can update the resource configuration file locally and then run the plan & apply command locally, which will trigger specific state maintenance on the remote Cloud. However, to use the terrain Cloud to perform state maintenance, we also need to configure the access credentials of AWS on the terrain Cloud.

Configuring environment variables for workspaces

To use terrain cloud to maintain cloud resources (such as AWS), we need to configure the corresponding access credentials. Here, we need to configure AWS _access _key _idand AWS _secret _access _keyof AWS as the environment variables of the project space.
Click the Variables tab in the workspace and click the + add variable button

Select Environment Variables, then add two Environment Variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and set the corresponding values.

After completion, we can run the terrain plan on the local console, and terrain apply sends the operation to the terrain cloud side for operation. Of course, we can still execute terrain show on the local project to view the current status, and the status will be managed in the cloud

> terraform plan
Running plan in the remote backend. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:

Waiting for the plan to start...

Terraform v1.0.11
on linux_amd64
Configuring remote state backend...
Initializing Terraform configuration...
aws_lightsail_static_ip.outline-sig-ip: Refreshing state... [id=Outline-EIP]
aws_lightsail_instance.outline-sig: Refreshing state... [id=Outline-Sig]
aws_lightsail_instance_public_ports.outline-sig-public-ports: Refreshing state... [id=Outline-Sig-987241840]
aws_lightsail_static_ip_attachment.outline-sig-ip-attache: Refreshing state... [id=Outline-EIP]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

You can see that the plan runs in remote backend.

Localization management project

Finally, we can submit the configuration file of the project to the version control system (such as Gitlab) and configure the version control of the workspace

In the setting of Terraform Cloud workspace, configure the associated version management code warehouse according to the prompt. After completion, after we submit the updated code locally, Terraform Cloud will be automatically triggered to perform maintenance of the new state. However, this will not allow terraform application to be performed on the local terminal

> terraform apply

│ Error: Apply not allowed for workspaces with a VCS connection
│ A workspace that is connected to a VCS requires the VCS-driven workflow to ensure that the VCS remains the single source of truth.

Status maintenance can only be triggered by updating the code and submitting it to the remote code warehouse. This will make it easier to share infrastructure code with the team and maintain infrastructure status together, and it will also tend to work like GitOps.


Based on Last article -Try to use Terraform to manage AWS Lightsail resources in the local environment, and extend the attempt to migrate the operation of state management to using Terraform Cloud as the remote Backend. In addition to Terraform Cloud, there are other types of Backend, which can be referred to( https://www.terraform.io/docs...).
Since then, we have explored using Terraform as an IaC tool to manage AWS Lightsail resources as an introduction to Terraform learning. Hashicrop official provides more information Learning resources and documentation , if you want to learn more about Terrform and put it into practice, please also refer to Official documents.

[also published on Terraform: migrate local projects to Terraform Cloud for execution]

Topics: DevOps