AWX Terraform state integration

Hi,
has anyone thought of a good way to integrate state management for terraform deployments into AWX? I am wondering how I can enable a secure seperation between teams while keeping state storage centralized so not every team needs to think about state-storage themselves. But I am failing to come up with a decent scenario that covers my security concerns.

Greetings
Klaas

@akira6592
Have you made any evaluation around this topic?

1 Like

@Klaas Hello!

Terraform backend configurations credential type was introduced in AWX 23.8.0. Does this meet your needs?

2 Likes

The document is now developing by Added docs for terraform credential/inventory source by tvo318 · Pull Request #15004 · ansible/awx · GitHub.

You can see the temporary document in 9. Credentials — Ansible AWX community documentation.

so I’ve read the docs which prompted me to open this question here – if I use it like this my teams would need to either make their own backend credentials (ie do their own state management) or I would need to create it for each of their deployments for them.

What I would like to do:
I create a central s3/azure storage/whatever and each team gets access to their own state files within that storage, but not the state files of other teams. But I can’t work my way around how/if this could be doable. Essentially I would like to simplify state management for my teams and centralize it :slight_smile:

Hi Klaas! I think what you’re asking for is feasible. We’ve created some roles to help simplify the creation of Terraform backend infrastructure in AWS, Azure, and Google Cloud here. You could use the s3_backend role for example to create either separate buckets for each team’s state files or a single bucket with different paths for each team. The aws_s3backend_iam_name and aws_s3backend_terraform_state_path options can be combined to create IAM roles with access only to a specific path within a bucket, so each team would have have their own IAM role with access to only their state files.

This would require each team to have their own backend credential in AWX, but only one per team as opposed to one per deployment. The credential configuration could contain just the authentication data (access key and secret key for that team’s role) and then any deployment-specific backend configuration data (bucket, path, region, etc.) can be supplied directly in the terraform config or passed as variables to the job.

I think that will help with what you’re asking, but am I missing anything?

On a related note, we are interested in hearing whether folks would like to have the ability to store state within the platform itself, and if so how you would use it. So please let us know if you have thoughts on that!

5 Likes

Okay, so I think I misunderstood the part about the state file being static in the credential:
https://ansible--15004.org.readthedocs.build/projects/awx/en/15004/userguide/credentials.html#terraform-backend-configuration
sounded to me like it needs to include the state file in a static way :slight_smile:

So the general idea for a scenario with multiple teams using a precreated backend by me would be I create a credential per team without the state file (without key=…) and then a team could use their assigned credential for multiple terraform deployments by them specifying key= in their code? That does sound reasonable, I will have a look at this in more detail – thanks

On a related note, we are interested in hearing whether folks would like to have the ability to store state within the platform itself, and if so how you would use it. So please let us know if you have thoughts on that!

So the easier this is the better it would be for my users I’d say :slight_smile: my usecase is I have a multitude of teams/people that would like to combine terraform and ansible, the way this is currently heading is a third party tool that can run both tf and ansible; but I would much rather see ansible taking the lead and being the “gluecode” here. So generally speaking what I would like best is state management directly in awx in a transparent way – so ideally state would just be integrated into the current rbac model for jobs/inventories/etc and stored by awx. I am guessing you could also catch a few people who want to replace terraform cloud here from red hats point of view :slight_smile:

1 Like

So the general idea for a scenario with multiple teams using a precreated backend by me would be I create a credential per team without the state file (without key=…) and then a team could use their assigned credential for multiple terraform deployments by them specifying key= in their code?

Yes, exactly. Any of those backend configuration values can be provided directly to the terraform_state inventory plugin using the backend_config option instead of via the credentials file. For security reasons the access_key and secret_key should definitely be stored in the credential but the other values might vary from project to project, and the key will be unique to each Terraform project.

And thank you for the input on storing state in AWX!