terraform

Contains Terraform code used to manage our infrastructure, Nix'ified for Terranix.

Prerequisites

• Nix with Flakes enabled

Pre-commit hook

We want all our Terraform code to be well formatted and adhering to standards, enforced by terraform fmt. Thus there is a pre-commit hook available to validate this. Unfortunately this cannot be enforced remotely, so there is a one time manual step needed.

Run the following command right after cloning the repository:

./install_precommit_hook.sh

This will make sure you have the pre-commit hook installed so there is less of a chance you push something that doesn't match our standards.

Terraform

As we're using GitLab's Terraform image for our CI/CD pipeline, we'll stick to using the latest version of Terraform. Instruction on how to install Terraform can be found here: https://www.terraform.io/downloads

• Terraform Cloud to use shared state

Usage

• Run nix develop -c $SHELL to enter the development environment if not using direnv.
• Run tofu login app.terraform.io to log in to the Terraform Cloud backend
• Run nix run to apply changes.
• Run nix flake update to update dependencies.

Authentication

Create a file terraform.tfvars containing:

... substituting in our actual key.

Managed state

• go to https://gitlab.com/bij1/intranet/terraform/-/terraform
• open the triple dot menu for bij1 and select Copy Terraform init command
• substitute in a personal access token in the shown command
• run the command locally to access the shared state

HCL to Nix

Code-styling

We try to adhere to the naming conventions and code-styling best practices defined at Terraform best practices.

Secrets

Two steps:

1. Create a variable in variables.tf with sensitive = true, to prevent it from appearing in the build output.
2. Add the desired variable to the Environment Variables.

We may want to look at something like git-crypt or a central password store.