Yandex Cloud Terraform Provider
Here I will explain how to configure Terraform on your local machine to be able to work with Yandex Cloud Terraform provider.
For more details see official documentation: Getting started with Terraform
Create configuration file for Terraform:
touch ~/.terraformrcAdd there the followings:
provider_installation {
network_mirror {
url = "https://terraform-mirror.yandexcloud.net/"
include = ["registry.terraform.io/*/*"]
}
direct {
exclude = ["registry.terraform.io/*/*"]
}
}Uploading Terraform states to Yandex Object Storage
Create S3 bucket for terraform states and special service account for terraform with editor role:
$ cd ./global/s3/terraform-state
$ terraform applyCreate auth key for SA:
yc iam key create \
--service-account-id $(yc iam service-account list --format json | jq -r '.[] | select(.name == "terraform-sa") | .id') \
--folder-id $(yc config get folder-id) \
--output /tmp/.terraform-sa-auth-key.jsonCreate yc profile for SA:
$ yc config profile create terraform-sa
Profile 'sa-terraform' created and activatedConfigure profile:
$ yc config set service-account-key /tmp/.terraform-sa-auth-key.json
$ yc config set cloud-id $YC_CLOUD_ID
$ yc config set folder-id $YC_FOLDER_IDYC_CLOUD_ID and YC_FOLDER_ID variables have been already set via .envrc with main profile. If you didn't do this, just set them manually.
Grab output of access and secret keys:
terraform output -jsonGo to folder with resources configurations. In this repo to ./prod/
Add configuration for terraform itself, for example, into terraform.tf file:
terraform {
required_providers {
yandex = {
source = "yandex-cloud/yandex"
}
}
required_version = ">= 0.13"
backend "s3" {
endpoints = {
s3 = "https://storage.yandexcloud.net"
}
region = "ru-central1"
bucket = "<bucket-name>"
key = "<prefix>/terraform.tfstate"
encrypt = false
skip_region_validation = true
skip_credentials_validation = true
skip_requesting_account_id = true
skip_s3_checksum = true
}
}Initialize terraform:
terraform init -backend-config="access_key=$ACCESS_KEY" -backend-config="secret_key=$SECRET_KEY"We need to configure terraform in each folder/module and we can't use variables here.
To avoid futher mistakes we can split static configurations into separate file called backend.hcl (you can use whatever you want) and leave only key here. So in each folder/module we have to only specify correct key value for the pacticular folder/module.
Now our terraform.tf file will look like that:
terraform {
required_providers {
yandex = {
source = "yandex-cloud/yandex"
}
}
required_version = ">= 0.13"
backend "s3" {
key = "<prefix>/terraform.tfstate"
}
}And backend.hcl:
endpoints = {
s3 = "https://storage.yandexcloud.net"
}
region = "ru-central1"
bucket = "<bucket-name>"
encrypt = false
skip_region_validation = true
skip_credentials_validation = true
skip_requesting_account_id = true
skip_s3_checksum = trueTo initialize terraform we will use following command:
terraform init \
-backend-config="access_key=$ACCESS_KEY" \
-backend-config="secret_key=$SECRET_KEY" \
-backend-config=backend.hclEnter to the directory with configurations and type:
direnv allowNow all variables will be automatically loaded and unloaded into your shell on enter/exit directory.
Show terraform state:
terraform showYou can also run terraform console to query any state values:
terraform consoleShow all project outputs:
terraform outputTo see output in json format type:
terraform output -jsonAlso here you can see generated in runtime outputs such as passwords which are marked as sesitive.
Delete resources all resources:
terraform destroyDestroy only specific resource:
terraform destroy -target yandex_compute_instance.dev-compute-1Get serial port output of deployed compute instance:
yc compute instance get-serial-port-output --name prod-compute-1