Terraform Configuration
SG Managed Terraform Backendβ
Enable the Use Managed Terraform State option under Terraform Customizations. This feature ensures that StackGuardian automatically injects and manages the Terraform state file, providing secure, tracked, and remotely managed infrastructure states. StackGuardian uses tfstate.json as the file name for storing your backend. Alternatively, you can add StackGuardian State Backend explicitly to your Terraform code. In either case, the state is stored in the same type of storage backend.
Configuring StackGuardian State Backend in Terraform Codeβ
StackGuardian supports the use of an HTTP backend for Terraform, facilitating secure, remote storage and management of Terraform state files. This configuration is crucial for teams requiring centralized state management to improve collaboration and avoid state locking conflicts.
To integrate StackGuardian with your Terraform setup, configure the state backend as follows:
terraform {
backend "http" {
address = "https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/wfs/[WORKFLOW_OR_STACK_PATH]/artifacts/tfstate.json"
retry_wait_min = 5 # The minimum time in seconds to wait between HTTP request attempts
username = "SG_EMAIL" # Can also be passed using TF_HTTP_USERNAME env var
password = "SG_API_TOKEN" # Can also be passed using TF_HTTP_PASSWORD env var
}
}
In your Terraform backend configuration, replace [WORKFLOW_OR_STACK_PATH] with the appropriate path depending on your workflow type. Use wfs/[SG_WORKFLOW_ID] for general workflows, or stacks/[SG_STACK_ID]/wfs/[SG_WORKFLOW_ID] for specific stack workflows. Here are the reference examples for each:
- Standard Workflows:
https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/wfs/[SG_WORKFLOW_ID]/artifacts/tfstate.json - Stack Workflows:
https://api.app.stackguardian.io/api/v1/orgs/[SG_ORG_ID]/wfgrps/[SG_WORKFLOW_GROUP_ID]/stacks/[SG_STACK_ID]/wfs/[SG_WORKFLOW_ID]/artifacts/tfstate.json
Replace SG_ORG_ID, SG_WORKFLOW_GROUP_ID, SG_STACK_ID, SG_WORKFLOW_ID, SG_EMAIL, and SG_API_TOKEN with your actual StackGuardian configuration details.
Require Terraform Plan Approvalβ
Enable this feature to add an extra layer of governance. This allows you to choose Users who can approve the workflow and specify Require Approval from to ensure that changes are reviewed before application.
Automated Drift Checkβ
Enable Automated Drift Check to allow StackGuardian to run drift checks regularly on your deployed infrastructure. If drifts are detected, users can rerun the workflow to reconcile the drift or modify the Terraform configuration to import the changes.
Terraform Customizationsβ
This feature allows users to configure specific Terraform settings to tailor the workflow as needed.
- Terraform Version: Ensures compatibility with specific Terraform versions or custom environments. Users can select from available versions (e.g.,
1.5.7) or specify a Custom Tool Path for non-standard setups. - Extra CLI Options: Add custom command-line options for Terraform commands, useful for advanced configurations where additional flags or settings are needed.
- Workflow Step Timeout: Set a time limit for each step, preventing the workflow from hanging indefinitely during execution.
- Import Existing Terraform State File: If
Use Managed Terraform Stateis enabled, users can upload an existing JSON state file for seamless state migration.
Lifecycle Custom Stepsβ
Allows users to inject custom logic at different stages of the Terraform workflow, offering flexibility to perform additional tasks before or after Terraform commands.
- Pre Init: Executes commands or steps before
terraform init. - Pre Plan: Executes commands or steps before
terraform plan. - Post Plan: Executes steps after the
terraform planis generated, such as running a security scan. - Pre Apply: Executes commands or steps before
terraform apply. - Post Apply: Executes steps after applying changes, like validation or notifications.
These lifecycle steps enable integration with tools and processes such as vulnerability scanning, validation, or post-deployment configurations directly into the Terraform workflow. For example, users can integrate security scans (e.g., wiz.io) to validate the Terraform plan before proceeding with deployment.
When enabled, lifecycle steps run within the same Terraform environment. If disabled, multiple custom steps can be added and reordered, providing flexibility for more complex workflows. Learn more in the Lifecycle Custom Steps documentation.
Resources and Eventsβ
Explore options to customize the resources allocated to your workflow and to trigger notifications or actions based on workflow events.
- Workflow Resources: Allocate CPU and memory resources for workflow execution (e.g., 1024 for 1 vCPU, 1024 for 1GB memory).
- Workflow Chaining: Chain workflows together for sequential execution.
- Webhook: Configure webhooks to trigger notifications or actions based on workflow status or events.
- Notifications: Set up alerts for key workflow events, such as start, success, or failure.
Execution Schedulesβ
You can automate the execution of workflows using a cron schedule. This allows users to define specific intervals for when the workflow should run, whether itβs a one-time deployment or a recurring task.
Custom Workflow Stepsβ
For non-Terraform workflows, users can define Workflow Steps instead of Terraform-specific configurations. These steps allow users to:
- Create Custom Workflow Steps: Configure workflow steps for execution flexibility by defining template parameters and other template based meta information. Adjust the sequence of steps by reordering them as needed.
- Resources and Events: Allocate CPU and memory resources to optimize workflow runtime.
- Workflow Chaining: Set triggers like "On Error" or "On Success" to execute dependent workflows automatically.
- Approval Settings: Enable or disable workflow approvals.
- Webhooks and Notifications: Configure webhooks for automated notifications or triggers.
This flexibility enables teams to create highly customized workflows tailored to their unique requirements.