OpenTofu Configuration
SG Managed OpenTofu Backendβ
Enable the Use Managed OpenTofu State option under OpenTofu Customizations. This feature ensures that StackGuardian automatically injects and manages the OpenTofu state file, providing secure, tracked, and remotely managed infrastructure states.
Enable the Use Managed OpenTofu State option under OpenTofu Customizations. This feature ensures that StackGuardian automatically injects and manages the OpenTofu state file, providing secure, tracked, and remotely managed infrastructure states. StackGuardian uses tfstate.json as the file name for storing your backend. Alternatively, you can add StackGuardian State Backend explicitly to your OpenTofu code. In either case, the state is stored in the same type of storage backend.
Configuring StackGuardian State Backend in OpenTofu Codeβ
StackGuardian supports the use of an HTTP backend for OpenTofu, facilitating secure, remote storage and management of OpenTofu state files. This configuration is crucial for teams requiring centralized state management to improve collaboration and avoid state locking conflicts.
To integrate StackGuardian with your OpenTofu setup, configure the state backend as follows:
terraform {
backend "http" {
address = "https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/wfs/[WORKFLOW_OR_STACK_PATH]/artifacts/tfstate.json"
retry_wait_min = 5 # The minimum time in seconds to wait between HTTP request attempts
username = "SG_EMAIL" # Can also be passed using TF_HTTP_USERNAME env var
password = "SG_API_TOKEN" # Can also be passed using TF_HTTP_PASSWORD env var
}
}
In your OpenTofu backend configuration, replace [WORKFLOW_OR_STACK_PATH] with the appropriate path depending on your workflow type. Use wfs/[SG_WORKFLOW_ID] for general workflows, or stacks/[SG_STACK_ID]/wfs/[SG_WORKFLOW_ID] for specific stack workflows. Here are the reference examples for each:
- Standard Workflows:
https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/wfs/[SG_WORKFLOW_ID]/artifacts/tfstate.json - Stack Workflows:
https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/stacks/[SG_STACK_ID]/wfs/[SG_WORKFLOW_ID]/artifacts/tfstate.json
Replace SG_ORG_ID, SG_WORKFLOW_GROUP_ID, SG_STACK_ID, SG_WORKFLOW_ID, SG_EMAIL, and SG_API_TOKEN with your actual StackGuardian configuration details.
Require OpenTofu Plan Approvalβ
Enable this feature to add an extra layer of governance. This allows you to choose Users who can approve the workflow and specify Require Approval from to ensure that changes are reviewed before application.
Automated Drift Checkβ
Enable Automated Drift Check to allow StackGuardian to run drift checks regularly on your deployed infrastructure. If drifts are detected, users can rerun the workflow to reconcile the drift or modify the OpenTofu configuration to import the changes.
OpenTofu Customizationsβ
This feature allows users to configure specific OpenTofu settings to tailor the workflow as needed.
- OpenTofu Version: Ensures compatibility with specific OpenTofu versions or custom environments. Users can select from available versions (e.g.,
1.5.7) or specify a Custom Tool Path for non-standard setups. - Extra CLI Options: Add custom command-line options for OpenTofu commands, useful for advanced configurations where additional flags or settings are needed.
- Workflow Step Timeout: Set a time limit for each step, preventing the workflow from hanging indefinitely during execution.
- Import Existing OpenTofu State File: If
Use Managed OpenTofu Stateis enabled, users can upload an existing JSON state file for seamless state migration.
Lifecycle Custom Stepsβ
Allows users to inject custom logic at different stages of the OpenTofu workflow, offering flexibility to perform additional tasks before or after OpenTofu commands.
- Pre Init: Executes commands or steps before
tofu init. - Pre Plan: Executes commands or steps before
tofu plan. - Post Plan: Executes steps after the
tofu planis generated, such as running a security scan. - Pre Apply: Executes commands or steps before
tofu apply. - Post Apply: Executes steps after applying changes, like validation or notifications.
These lifecycle steps enable integration with tools and processes such as vulnerability scanning, validation, or post-deployment configurations directly into the OpenTofu workflow. For example, users can integrate security scans (e.g., wiz.io) to validate the OpenTofu plan before proceeding with deployment.
When enabled, lifecycle steps run within the same OpenTofu environment. If disabled, multiple custom steps can be added and reordered, providing flexibility for more complex workflows. Learn more in the Lifecycle Custom Steps documentation.
Resources and Eventsβ
Explore options to customize the resources allocated to your workflow and to trigger notifications or actions based on workflow events.
- Workflow Resources: Allocate CPU and memory resources for workflow execution (e.g., 1024 for 1 vCPU, 1024 for 1GB memory).
- Workflow Chaining: Chain workflows together for sequential execution.
- Webhook: Configure webhooks to trigger notifications or actions based on workflow status or events.
- Notifications: Set up alerts for key workflow events, such as start, success, or failure.
Execution Schedulesβ
You can automate the execution of workflows using a cron schedule. This allows users to define specific intervals for when the workflow should run, whether itβs a one-time deployment or a recurring task.
