Provide Terraform backend environment variables in Operations-->Terraform UI
Release notes
The GitLab Managed Terraform state can be accessed from within GitLab CI without any special configuration. To access the same state from a local machine, Terraform should be initialized with several parameters. Finding the right parameters was a tedious and error prone process, so we decided to make it simple. GitLab now provides a simple UI under the Terraform state list page that shows the command to initialize a Terraform state access from the command line. This view can be accessed from under the Infrastructure / Terraform menu.
Make using GitLab Terraform State easily accessible to users who run locally.
Problem to solve
Currently the recommended terraform backend configuration does not have the API endpoints hard coded in the .tf file. To terraform init
locally you need to pass along a bunch of derived API endpoints based on the project.
Example from documentation:
export GITLAB_ACCESS_TOKEN=<YOUR-ACCESS-TOKEN>
terraform init \
-backend-config="address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>" \
-backend-config="lock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \
-backend-config="unlock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \
-backend-config="username=<YOUR-USERNAME>" \
-backend-config="password=$GITLAB_ACCESS_TOKEN" \
-backend-config="lock_method=POST" \
-backend-config="unlock_method=DELETE" \
-backend-config="retry_wait_min=5"
Intended users
User experience goal
- Go to a project Operations --> Terraform -->
- Under the state file, user clicks "..."
- A dialog appears showing some explanatory text and a command to run
terraform init
. - The command can be copied to clipboard with a click of a button
Explanatory text:
If you plan to only run terraform plan and terraform apply commands from your local machine, the first step is to run
terraform init
to set up the connection to the GitLab Managed Terraform state backend. The setup requires a personal access token. You can create a token under your settings.
Proposal
Use the standard modal component from pajamas
Proposal for the copy in the modal
Run the following command at the command line to get access to this terraform state from your local computer. The first line requires a Personal Access Token with
api
rights. You can [create a personal access token under your settings (link to: https://gitlab.com/-/profile/personal_access_tokens)].export GITLAB_ACCESS_TOKEN=<YOUR-ACCESS-TOKEN> terraform init \ -backend-config="address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>" \ -backend-config="lock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ -backend-config="unlock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ -backend-config="username=<YOUR-USERNAME>" \ -backend-config="password=$GITLAB_ACCESS_TOKEN" \ -backend-config="lock_method=POST" \ -backend-config="unlock_method=DELETE" \ -backend-config="retry_wait_min=5"
Further details
Could add something else like
export GITLAB_TOKEN=blablabla
-backend-config="password=$GITLAB_TOKEN" \
Permissions and Security
Existing permissions model. No changes.
Bonus points to warning users if their project permissions limit their access to the state file.
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
/cc @nagyv-gitlab