Terraform is an open-source Infrastructure as Code tool that provides a consistent workflow and human-readable configuration language to manage infrastructure and configurations across several different cloud services.
At Gjensidige, we use Terraform to manage resources for Azure, GitHub and Splunk, among others. We use a multi-repo architecture which enables teams to self-service and compose configurations based on shared building blocks.
Repository templates for Terraform are available, which include common boilerplate code, workflows and a directory structure that can be used as a starting point for your repository.
/platform-github repo create-from-template-command in #github-at-gjensidige to create a new repository using one of these templates:
The following reusable modules are available for internal use at Gjensidige:
CI/CD with GitHub Actions
Changes should always be applied using a GitHub Actions workflow.
Reusable workflows are used to avoid duplication and increase consistency across repositories.
We have two centrally maintained, reusable workflows for Terraform:
Destroy workflows are often only needed in specific cases, and can therefore usually be disabled in GitHub Actions.
Both workflows use self-hosted runners and contain two jobs: one for generating a plan and one for applying the planned changes. The generated plan should always be reviewed before applying any changes.
Environments are used to describe deployment targets like
test, and should be configured with protection rules:
All environments should have specified one or more teams that can approve workflow runs for the repository.caution
This protection rule must be added before running the workflow. Otherwise, unreviewed changes can accidentally be applied.
Deployment branches can be used to limit which branches can deploy to an environment. This can f.ex. be used to only allow changes in production from the
Service Principal Client ID - We use OpenID Connect for authentication to Azure, so no password is required. This secret is managed in the following repository: gjensidige/terraform-github-repo-credentials.
GitHub access token - If your configuration uses any of Gjensidige's reusable modules, an access token is required to fetch the modules from GitHub. See Global secrets (Confluence).