Manage variable sets in HCP Terraform
- 16min
- |
- HCP Terraform
- Terraform
HCP Terraform variable sets let you reuse variables in an efficient andcentralized way, so you can set variable values once and use them in multipleworkspaces. When you update the values, the changes automatically affect allassociated workspaces, making it easier to update credentials and infrastructuresettings. HCP Terraform also lets you override variables defined in variablesets on a per-workspace basis, which lets you modify the workspace'sconfiguration without affecting other workspaces that use the variable set.
In this tutorial, you will manage multiple HCP Terraform variable sets. Youwill define variable sets for your AWS credentials and DynamoDB configuration.You will also review variable precedence between duplicated variables acrossvariable sets, and between variables in variable sets and workspace-specificvariables.
Prerequisites
This tutorial assumes that you are familiar with HCP Terraform and thestandard Terraform workflow. If you are new to Terraform, complete theGetStarted tutorials first. If you are newto HCP Terraform, complete theHCP Terraform Get Startedtutorials first.
For this tutorial, you will need:
- anHCP Terraform account and organization
- Terraform v0.15+ installed locally andconfigured with your HCP Terraform token
- anAWS account
Clone example configuration
First, clone theexample repository. This repository contains exampleconfiguration to create AWS DynamoDB tables in two environments.
$ git clone https://github.com/hashicorp-education/learn-terraform-variable-setsNow, change into the repository directory.
$ cd learn-terraform-variable-setsThis repository contains two subdirectories:
$ tree.├── README.md├── dev│ ├── main.tf│ ├── variables.tf│ └── versions.tf└── staging ├── main.tf ├── variables.tf └── versions.tfThedev andstaging directories each contain Terraform configuration thatdefines a DynamoDB table and configures it using input variables. Theconfiguration uses therandom_pet resource to ensure a unique name for thetable, and configures the DynamoDB table using thedb_read_capacity anddb_write_capacity input variables.
Initialize configuration
Navigate to thedev directory.
$ cd devOpenversions.tf in your code editor, and replace<ORGANIZATION_NAME> inthecloud block with your own HCP Terraform organization name.
dev/versions.tf
terraform { cloud { organization= "<ORGANIZATION_NAME>" workspaces { name= "learn-terraform-variable-sets-dev" } }###Notice that this configuration uses thelearn-terraform-variable-sets-dev workspace.
Initialize the configuration, which will also create the workspace in HCPTerraform.
$ terraform initInitializing HCP Terraform...Initializing provider plugins...Reusing previous version of hashicorp/random from the dependency lock file- Reusing previous version of hashicorp/aws from the dependency lock file- Installing hashicorp/random v3.1.0...- Installed hashicorp/random v3.1.0 (signed by HashiCorp)- Installing hashicorp/aws v3.63.0...- Installed hashicorp/aws v3.63.0 (signed by HashiCorp)HCP Terraform has been successfully initialized!You may now begin working with HCP Terraform. Try running "terraform plan" tosee any changes that are required for your infrastructure.If you ever set or change modules or Terraform Settings, run "terraform init"again to reinitialize your working directory.Now, navigate to thestaging directory.
$ cd ../stagingOpenversions.tf in your code editor, and replace<ORGANIZATION_NAME> inthecloud block with your own HCP Terraform organization name.
staging/versions.tf
terraform { cloud { organization= "<ORGANIZATION_NAME>" workspaces { name= "learn-terraform-variable-sets-staging" } }###This configuration uses a different workspace,learn-terraform-variable-sets-staging.
Initialize the configuration, which will also create the workspace inHCP Terraform.
$ terraform initInitializing HCP Terraform...Initializing provider plugins...Reusing previous version of hashicorp/random from the dependency lock file- Reusing previous version of hashicorp/aws from the dependency lock file- Installing hashicorp/random v3.1.0...- Installed hashicorp/random v3.1.0 (signed by HashiCorp)- Installing hashicorp/aws v3.63.0...- Installed hashicorp/aws v3.63.0 (signed by HashiCorp)HCP Terraform has been successfully initialized!You may now begin working with HCP Terraform. Try running "terraform plan" tosee any changes that are required for your infrastructure.If you ever set or change modules or Terraform Settings, run "terraform init"again to reinitialize your working directory.You now have two HCP Terraform workspaces configured for the CLI-driven workflow with remote execution.
Create variable sets
HCP Terraform variable sets are groups of reusable variables created at the organization level. A variable set can have one of three scopes:
- Global: It will apply to all current and future workspaces within an organization.
- Project-specific: It will apply to all current and future workspaces within the selected projects.
- Workspace-specific: It will apply only to the selected workspaces.
Using broader variable set scope enables self-service workflows. For instance, you can create a variable set and apply it to a team-specific project, then grant the team permission to create workspaces within the project. Future workspaces will automatically inherit the variable set without requiring additional work or approval. However, we recommend scoping variable sets that contain credentials as narrowly as possible, to avoid granting access to teams or workspaces that do not need them.
Create a credentials variable set
First, navigate to your organization's settings by clickingSettings in the left navigation. Then, selectVariable Sets.
Note
If you already have a variable set for your AWS provider credentials,skip to the next section.
ClickCreate variable set.
Name this first variable setAWS credentials.
Warning
When possible, apply credential variable sets to specific projects orworkspaces. Avoid global access and follow the principle of least privilege.
Scroll down to theVariable set scope section and selectApply to specificprojects and workspaces. Select thelearn-terraform-variable-sets-devandlearn-terraform-variable-sets-staging workspaces.
Click+Add Variable. Define an environment variable namedAWS_ACCESS_KEY_ID and set it to your AWS Access Key ID. Mark it as sensitive and clickSave variable.
Then, click+Add Variable again. Define another environment variable namedAWS_SECRET_ACCESS_KEY and set it to your AWS Secret access key. Mark itas sensitive and clickSave variable.
Tip
If you have temporary AWS credentials, you must also add yourAWS_SESSION_TOKEN as an environment variable.
Finally, clickCreate variable set.
Create configuration settings variable set
You can also use variable sets to define reusable input variables. In thisscenario, you will provision DynamoDB tables for two environments,dev andstaging. Use avariable set to define the read and write capacities for both.
Create another variable set namedDefault DynamoDB settings. Once again,apply it to both thelearn-terraform-variable-sets-dev andlearn-terraform-variable-sets-staging workspaces.
Define two Terraform variables in the variable set:
- ATerraform variable named
db_write_capacitywith a value of1. - ATerraform variable named
db_read_capacitywith a value of1.
Save the variable set.
Rather than individually defining the database read and write capacity in bothworkspaces, you were able to just define them once as a variable set and applythem to the workspaces that need them.
Review workspace variables
You can review and manage which variable sets apply to the workspace from the workspace itself.
Navigate to yourlearn-terraform-variable-sets-dev workspace, then select theVariables tab.
UnderVariable sets, the workspace lists both yourAWS credentialsandDefault DynamoDB settings variable sets and the variables that theycontain.
Apply configuration
In your terminal, navigate to yourlearn-terraform-variable-sets/devdirectory.
You already initialized your configuration earlier, so now apply it. Respondyes when prompted to confirm the operation.
$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-dev/runs/run-fRjkg53BhhhwbEUNWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: + createTerraform will perform the following actions:##...Plan: 2 to add, 0 to change, 0 to destroy.Do you want to perform these actions in workspace "learn-terraform-variable-sets-dev"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yesrandom_pet.table_name: Creating...random_pet.table_name: Creation complete after 0s [id=still-pony]aws_dynamodb_table.table: Creating...aws_dynamodb_table.table: Creation complete after 4s [id=dev-still-pony]Apply complete! Resources: 2 added, 0 changed, 0 destroyed.Go to thelearn-terraform-variable-sets-dev workspace to find theresources it manages.
Now, navigate to yourstaging directory.
$ cd ../stagingApply your configuration. Respondyes when prompted to confirm the operation.
$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-staging/runs/run-WMTfEG5hFmwaNArqWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: + createTerraform will perform the following actions:##...Plan: 2 to add, 0 to change, 0 to destroy.Do you want to perform these actions in workspace "learn-terraform-variable-sets-staging"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yesrandom_pet.table_name: Creating...random_pet.table_name: Creation complete after 0s [id=guiding-kite]aws_dynamodb_table.table: Creating...aws_dynamodb_table.table: Creation complete after 7s [id=staging-guiding-kite]Apply complete! Resources: 2 added, 0 changed, 0 destroyed.Explore variable set precedence
If any of the variable sets associated with the workspace contain a variable ofthe same type (input or environment variables) with the same name, HCPTerraform will use lexical order to determine variable precedence.
In this scenario, you applied a default set of DynamoDB settings to bothtables. While you generally want to use consistent settings across bothresources, you may want to perform load testing on one of your tables.
Navigate back to the variable sets page in your organization settings, createa new variable set namedAdd Capacity - DynamoDB load testing, and apply it to thelearn-terraform-variable-sets-staging workspace.
Create two Terraform variables for this variable set:
- Set
db_write_capacityto10 - Set
db_read_capacityto10
Save your new variable set.
Now, navigate back to yourlearn-terraform-variable-sets-staging workspace and navigate to theVariables page. It lists 3 variable sets applying to your workspace.
Scroll down to find theDefault DynamoDB settings variable set, which shows its values as overwritten.
Both your default and load testing variable sets define variables nameddb_write_capacity anddb_read_capacity. Since the load testing variableset name begins with the letter "A", that variable set took precedence overyour default settings. If you want HCP Terraform to use the default DynamoDBvariable set instead, you can:
- change the names of the variable sets so that the default set has lexical precedence over the load testing set, or
- remove the load testing variable set from the workspace.
In your terminal, runterraform apply in yourstaging directory to updateyour table's configuration. Respondyes when prompted to confirm theoperation.
$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-staging/runs/run-1j7aMQm8v4HdMWMRWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...random_pet.table_name: Refreshing state... [id=guiding-kite]aws_dynamodb_table.table: Refreshing state... [id=staging-guiding-kite]Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: ~ update in-placeTerraform will perform the following actions: # aws_dynamodb_table.table will be updated in-place ~ resource "aws_dynamodb_table" "table" { id = "staging-guiding-kite" name = "staging-guiding-kite" ~ read_capacity = 1 -> 10 tags = {} ~ write_capacity = 1 -> 10 # (5 unchanged attributes hidden) # (3 unchanged blocks hidden) }Plan: 0 to add, 1 to change, 0 to destroy.Do you want to perform these actions in workspace "learn-terraform-variable-sets-staging"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yesaws_dynamodb_table.table: Modifying... [id=staging-guiding-kite]aws_dynamodb_table.table: Modifications complete after 2s [id=staging-guiding-kite]Apply complete! Resources: 0 added, 1 changed, 0 destroyed.As expected, Terraform used the more recently applied load testing variable setto your configuration and increased the read and write capacities of yourtable.
Overwrite a variable in a variable set
You can also overwrite a variable defined ina variable set by creating a workspace-specific variable with the same key.HCP Terraform will always use workspace-specific variables over any variables definedin variable sets applied to the workspace.
In a load testing scenario, you may want to scale up your write capacity totest how your application's performance responds. In yourlearn-terraform-variable-sets-staging workspace, create aworkspace-specific input variable nameddb_write_capacity and set the valueto15.
HCP Terraform now shows thedb_write_capacity variable in the load testingvariable set as overwritten.
In your terminal, run aterraform apply to further scale your DynamoDBtable's write capacity. Respond yes to the prompt to confirm the operation.
$ terraform applyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-staging/runs/run-H5aAbCPCZ3xKiw9jWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...random_pet.table_name: Refreshing state... [id=guiding-kite]aws_dynamodb_table.table: Refreshing state... [id=staging-guiding-kite]Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: ~ update in-placeTerraform will perform the following actions: # aws_dynamodb_table.table will be updated in-place ~ resource "aws_dynamodb_table" "table" { id = "staging-guiding-kite" name = "staging-guiding-kite" tags = {} ~ write_capacity = 10 -> 15 # (6 unchanged attributes hidden) # (3 unchanged blocks hidden) }Plan: 0 to add, 1 to change, 0 to destroy.Do you want to perform these actions in workspace "learn-terraform-variable-sets-staging"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yesaws_dynamodb_table.table: Modifying... [id=staging-guiding-kite]aws_dynamodb_table.table: Modifications complete after 3s [id=staging-guiding-kite]Apply complete! Resources: 0 added, 1 changed, 0 destroyed.Since you set a workspace-specific variable for the write capacity, HCPTerraform prioritized that value and scaled your table's write capacity to 15,overwriting the variable set values.
For more information on how HCP Terraform inherits variable sets and overrides values, seeWorkspace variable precedence.
Clean up resources
In yourstaging directory, destroy the table you created. Respondyes when prompted to confirm the operation.
$ terraform destroyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-staging/runs/run-W8NaRXye3gmGs1cyWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...random_pet.table_name: Refreshing state... [id=guiding-kite]aws_dynamodb_table.table: Refreshing state... [id=staging-guiding-kite]Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: - destroyTerraform will perform the following actions:##...Plan: 0 to add, 0 to change, 2 to destroy.Do you really want to destroy all resources in workspace "learn-terraform-variable-sets-staging"? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yesaws_dynamodb_table.table: Destroying... [id=staging-guiding-kite]aws_dynamodb_table.table: Destruction complete after 3srandom_pet.table_name: Destroying... [id=guiding-kite]random_pet.table_name: Destruction complete after 0sApply complete! Resources: 0 added, 0 changed, 2 destroyed.Then, change to yourdev directory.
$ cd ../devDestroy the infrastructure managed in this directory as well.
$ terraform destroyRunning apply in HCP Terraform. Output will stream here. Pressing Ctrl-Cwill cancel the remote apply if it's still pending. If the apply started itwill stop streaming the logs, but will not stop the apply running remotely.Preparing the remote apply...To view this run in a browser, visit:https://app.terraform.io/app/hashicorp-training/learn-terraform-variable-sets-dev/runs/run-v3Nszw3Eybo432AHWaiting for the plan to start...Terraform v1.0.7on linux_amd64Configuring remote state backend...Initializing Terraform configuration...random_pet.table_name: Refreshing state... [id=still-pony]aws_dynamodb_table.table: Refreshing state... [id=dev-still-pony]Terraform used the selected providers to generate the following executionplan. Resource actions are indicated with the following symbols: - destroyTerraform will perform the following actions:##...Plan: 0 to add, 0 to change, 2 to destroy.Do you really want to destroy all resources in workspace "learn-terraform-variable-sets-dev"? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yesaws_dynamodb_table.table: Destroying... [id=dev-still-pony]aws_dynamodb_table.table: Destruction complete after 3srandom_pet.table_name: Destroying... [id=still-pony]random_pet.table_name: Destruction complete after 0sApply complete! Resources: 0 added, 0 changed, 2 destroyed.Clean up HCP Terraform resources
Then, navigate to yourlearn-terraform-variable-sets-dev workspace inHCP Terraform and delete the workspace.
Now, navigate to yourlearn-terraform-variable-sets-staging workspaceand delete the workspace.
Finally, navigate to your variable sets list under the organization settings.Delete yourDefault DynamoDB settings variable set by clicking on it,scrolling to the bottom, and clickingDelete variable set.
Delete your load testing variable set, and optionally your AWS credentialsvariable set as well.
Next steps
In this tutorial, you learned how to create and use variable sets to manageyour HCP Terraform workspace's input and environment variables. You alsolearned about variable precedence between variable sets and how to overwritevariables within a workspace.
Check out the following resources to learn more about HCP Terraform configuration options and features: