Local Terraform Execution Guide#
Description#
This guide outlines the process for running Terraform locally instead of through the pipeline, which may be necessary in certain cases.
Prerequisites#
1. Install necessary software#
-
- For older versions of Terraform or certain modules/providers, use the amd64 binary rather than the arm64 one.
- Ensure your Terraform version matches the one used in the pipeline.
- Projects should have a
.terraform-versionfile containing the correct version. - Running
tfswitchin a directory with this file will automatically switch to the correct version.
-
kubectl (within one minor version of the cluster)
2. Connect to the VT VPN.#
3. Obtain a personal access token from code.vt.edu/-/profile/personal_access_tokens with read_api permissions only.#
4. Set the environment variable TF_VAR_gitlab_token equal to this token.#
5. Request admin access for the production cluster:#
6. Add your PID here and create a merge request.#
7. Add AWS STS client functions to your .bashrc/.zshrc:#
Procedure#
-
Clone a new copy of the repository code where state is locked. You need a new copy of the code because we will be copying files around that we don’t want pushed upstream
-
Check out the desired commit.
-
Run
vault-auth.sh/vault-auth.bashscript in the root of the eks-cluster project. -
Run the export commands output by the vault-auth script:
- export VAULT_TOKEN=.......
- export VAULT_ADDR=.......
-
Recursively copy the environment you're working with to the cluster-bootstrap directory:
-
For on-prem: Remove unnecessary backend definition files. For example, for the dvlp cluster:
-
For AWS clusters:
-
Authenticate to the needed account (e.g., vt-platform-prod), and switch to that profile.
-
New way with baseline (AWS DVLP and PPRD)
- Log in: AWS Baseline Login
- Select the cluster you want to access
- Click the "AWS Account" button
- DVLP: VT-AWS-ACCT_50
- PRD: VT-AWS-ACCT_143
- Click on "Command line or programmatic access"
- Use the "AWS IAM Identity Center credentials"
-
Run: aws_sts_set:
-
Legacy (PROD)
- See https://onboarding.platform.it.vt.edu/cluster-overview/ for authentication to the prod account.
- dvlp arn: 683741249548
- prod arn: 772415023108
- Run:
export AWS_PROFILE=vt-platform-<prod|pprd|dvlp> - Run:
. awsume vt-platform-<prod|pprd|dvlp>
- See https://onboarding.platform.it.vt.edu/cluster-overview/ for authentication to the prod account.
-
-
For On-prem: Authenticate using Headlamp
-
Run
tfswitchto ensure you're using the correct version of Terraform. -
Initialize Terraform:
-
For AWS:
-
For on-prem:
-
-
You can now run commands such as
terraform show,terraform taint, andterraform force-unlock. -
If you need to run a terraform plan or apply, create a kubeconfig:
- The kubeconfig is stored in the state file for eks
terraform initterraform workspace listterraform workspace select <workspace name>- Run
terraform output kubeconfigto make sure the output is valid - Take the output from the last command and write it to a file called kubeconfig in the directory you need to run terraform from (eks-cluster/cluster-bootstrap)
- Edit the file
- Remove the header and footer - <<EOT and EOT
- Change the apiVersion from v1alpha1 to v1beta1
- The kubeconfig file is referenced in the provider
-
Run Terraform plan:
- Use the personal access token generated previously when prompted for var.gitlab_token.
Tips#
Show all helm releases:
Cleanup#
- If you cloned the eks-cluster repository in a new location, delete it to avoid accidental commits.
- If granted admin access for the AWS production cluster, remove your PID from here and create a merge request.
Troubleshooting#
If the terraform state is locked, run:
- Run Terraform plan:
In the AWS vt-platform-auth account, there's an S3 vt-common-platform-env bucket that stores the tfstate for each cluster.
Additional Resources#
Note
Always ensure you're using the correct versions of tools and following the most up-to-date procedures when working with infrastructure as code.