My Terraform monorepo. Stores re-useable templates, examples, docs, etc.
Warning
These are my personal Terraform templates, and are specific to my setup. Review everything before running it, and consider copying snippets, instead of whole templates, for your own infrastructure.
The modules in the modules/ path are the building blocks for environments. Environments compose modules into executable "plans," and can accept .tfvars variable files from the vars/ path, and secret values from the .secrets/ path.
Caution
It is not recommended to store secrets for your modules in a file, even if it is ignored in .gitignore. Storing secrets in plain text files is bad security practice. Use environment variables instead.
One way to store the secret is in your environment. For example, setting a TF_VAR_db_password environment variable. Terraform will automatically detect env vars prefixed with TF_VAR_.
Example:
## Export a database password env var
export TF_VAR_db_password="supersecret"In your Terraform template, reference the environment variable as var.db_password (without the TF_VAR_ prefix):
variable "db_password" {
description = "The database password"
type = string
sensitive = true
}
resource "some_resource" "example" {
password = var.db_password
}Note
I will probably eventually try out OpenTofu, and will either start a new repository or find a way to make Terraform & OpenTofu coexist in this repository.
With winget:
winget install Hashicorp.TerraformWith scoop:
scoop install terraformWith winget:
winget install OpenTofu.TofuWith scoop:
scoop install opentofuCheck the Terraform Linux installation docs for up-to-date instructions.
brew tap hashicorp/tap
brew install hashicorp/tap/terraformwget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraformsudo dnf install -y dnf-plugins-core
sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
sudo dnf -y install terraformsudo dnf install -y dnf-plugins-core
sudo dnf config-manager addrepo --from-repofile=https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
sudo dnf -y install terraformsudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install terraformThe environments/ path stores executable environments that accept vars and/or secrets. When planning or executing an environment, use terraform -chdir="environments/<path to environment directory>". Each environment is a Terraform module of its own, meaning you need to add a variables.tf like the one in the module(s) that will be called by the environment.
You should run your terraform commands from the repository root. This lets you use relative paths, i.e. -vars-file=".secrets/cloudflare/secrets.tfvars. Each time you run a terraform command from the repository root, set the chdir arg to the path to your environment, i.e. terraform -chdir="environments/cloudflare" init -upgrade.
Some modules have an entrypoint script in the scripts/ directory. For example, the apply_cf_waf_rules.ps1 script calls the cloudflare environment, which composes the Cloudflare WAF zone rules module, the Cloudflare secrets file (or environment variable), and the Cloudflare WAF rules .tfvars file, then applies the WAF rules to your Cloudflare zone(s).