將協作帶到HashiCorp Terraform CLI：介紹遠端操作

AUG 16 2018 THE TERRAFORM ENTERPRISE TEAM

HashiCorp Terraform has revolutionized the way that infrastructure is managed by providing a common workflow across providers: write, plan, and apply. Today we're introducing the ability to execute plans remotely in Terraform Enterprise using the Terraform command-line interface (CLI).

As teams collaborate on Terraform code, a few challenges quickly emerge: state storage and synchronization, provider access credential distribution, a history of Terraform plan/applies, and more. Terraform Enterprise has existed for over a year to address these challenges, but it required CLI users to learn a separate web-based workflow.

In Terraform 0.11.8, we're introducing remote operations, beginning with remote plan. Remote operations execute the Terraform code remotely in Terraform Enterprise while CLI behaves exactly as if everything were still local. This solves all the above challenges of working with Terraform without changing the core workflow.

The Remote Backend

Terraform 0.11.8 has a new remote backend that connects local configuration with Terraform Enterprise and enables remote operations.

When using the remote backend, all access credentials, variable values, and state are stored within Terraform Enterprise. No secret material needs to be requested or exist on the user's machine except for a Terraform Enterprise API key, since the secret-accessing parts of Terraform are executed remotely. This simplifies developing infrastructure with Terraform for any configuration to a single API token.

Once you have your API token configured in Terraform's CLI Configuration file, the first step to using remote operations is to configure the backend:

terraform {
  backend "remote" {
    organization = "my-org"
    workspaces {
      prefix = "my-app-"
    }
  }
}

Once you run terraform init, Terraform will recognize this backend, automatically create Terraform Enterprise Workspaces, and copy the state files from your local Workspaces into Terraform Enterprise.

Animated demo showing Workspaces being migrated to Terraform Enterprise

After this step, all state manipulation commands will operate against the remotely stored state automatically. Commands like terraform taint and terraform state mv work just like they do when working locally.

Remote Plan

With the backend configured, the terraform plan command will automatically trigger a remote plan.

Animated demo showing remote Terraform Plan

The plan outputs almost identically as if it were run locally, but the entire operation was executed directly in Terraform Enterprise. The plan can also be viewed directly within Terraform Enterprise for users more comfortable with a UI or for sharing with teammates.

Benefits of Remote Operations

Preserving the core workflow: Whether you're using Terraform as an individual or with a team using Terraform Enterprise, the workflow is always the same and can be executed via the CLI: write, plan, apply. Remote plan is a major step towards enabling the core workflow from the CLI that is uniform across all of Terraform.

Securing secrets: With remote plan, access credentials and other secret values only need to exist on the machine executing Terraform. This eliminates the complexity of distributing and securing cloud access credentials to every Terraform user. Instead, each Terraform user only needs a Terraform Enterprise account and API key.

Non-public infrastructure access: Many companies use Terraform to automate providers that aren't publicly accessible, such as VMware vSphere installations. In this scenario, only Terraform Enterprise may have access to the vSphere API. Using remote plans, developer machines can still develop Terraform configurations without access directly to the underlying infrastructure control plane.

History, policy, approvals, and more: Terraform Enterprise provides a number of additional features that are automatically used with remote plans. Terraform Enterprise stores a history of executed plans, requires approval prior to apply, can execute policies to prevent non-compliant infrastructure change, and much more. This happens automatically by running terraform plan.

Apply

The apply step of the workflow currently still happens in the browser, having been triggered via the UI or the API. An upcoming version of Terraform will support remote terraform apply from the CLI as well.

Screenshot of Apply in Terraform Enterprise

Future

Remote plans are available for Terraform Enterprise users in Terraform 0.11.8. Remote applies will be supported in an upcoming Terraform release.

We have designed Terraform Enterprise to provide the best experience for teams collaborating on infrastructure, and we are continuously honing and improving that experience every day. We plan for the full core Terraform workflow to be the same across both open source and enterprise products. We're also introducing access to more enterprise functionality directly from the CLI in future releases.

Terraform 0.11.8 is available for download today. To learn more about remote backends, please read the documentation. To learn more about Terraform Enterprise, please see our page on Terraform Enterprise and request a demo today.