Inject GitLab CI Variables into Terraform Variables

5
votes

I'm having a set of Terraform files and in particular one variables.tf file which sort of holds my variables like aws access key, aws access token etc. I want to now automate the resource creation on AWS using GitLab CI / CD.

My plan is the following:

  1. Write a .gitlab-ci-yml file

  2. Have the terraform calls in the .gitlab-ci.yml file

I know that I can have secret environment variables in GitLab, but I'm not sure how I can push those variables into my Terraform variables.tf file which looks like this now!

# AWS Config

variable "aws_access_key" {
  default = "YOUR_ADMIN_ACCESS_KEY"
}

variable "aws_secret_key" {
  default = "YOUR_ADMIN_SECRET_KEY"
}

variable "aws_region" {
  default = "us-west-2"
}

In my .gitlab-ci.yml, I have access to the secrets like this:

- 'AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}' 
- 'AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}' 
- 'AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}'

How can I pipe it to my Terraform scripts? Any ideas? I would need to read the secrets from GitLab's environment and pass it on to the Terraform scripts!

1
amazon-web-servicescontinuous-integrationgitlabterraform
Possible duplicate of How to configure environment variables in Hashicorp TerraformydaetskcoR
You can just use the SDK's natural way of loading credentials via environment variables using AWS_ACCESS_KEY_ID etc.ydaetskcoR
Possible duplicate of Referencing gitlab secrets in Terraformrflume
That port does not answer my question. It requires using another image that has some tool like gettext to be available on the Docker image and I do not want that!joesan

1 Answers

5
votes

Which executor are you using for your GitLab runners?

You don't necessarily need to use the Docker executor but can use a runner installed on a bare-metal machine or in a VM.

If you install the gettext package on the respective machine/VM as well you can use the same method as I described in Referencing gitlab secrets in Terraform for the Docker executor.

Another possibility could be that you set 

job:
    stage: ...
    variables: 
        TF_VAR_SECRET1: ${GITLAB_SECRET}

or 

job:
    stage: ...
    script:
        - export TF_VAR_SECRET1=${GITLAB_SECRET}

in your CI job configuration and interpolate these. Please see Getting an Environment Variable in Terraform configuration? as well