This document provides detailed usage instructions for the Terraform Development Environment.
- Getting Started
- Working with Terraform
- Cloud Provider Authentication
- Using Pre-commit Hooks
- VS Code Tasks and Extensions
- Advanced Configuration
- Best Practices
- Troubleshooting
- Open VS Code in the project directory
- Click on the green icon in the bottom-left corner
- Select "Reopen in Container"
- Wait for the container to build and initialize
Once the container is running, you'll see a welcome message with information about the installed tools and their versions. The following steps are recommended for initial setup:
- Configure cloud provider authentication (see Cloud Provider Authentication)
- Install pre-commit hooks:
pre-commit install - Initialize Terraform:
terraform init
# Initialize Terraform
terraform init
# Format Terraform code
terraform fmt -recursive
# Validate Terraform code
terraform validate
# Plan changes
terraform plan -out=tfplan
# Apply changes
terraform apply tfplan
# Destroy infrastructure
terraform destroyYou can use Terraform workspaces or directory structures to manage multiple environments:
# Create workspaces
terraform workspace new dev
terraform workspace new staging
terraform workspace new prod
# List workspaces
terraform workspace list
# Select a workspace
terraform workspace select dev
# Run Terraform commands in the selected workspace
terraform plan -out=tfplanproject/
├── environments/
│ ├── dev/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ ├── staging/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ └── prod/
│ ├── main.tf
│ ├── variables.tf
│ └── terraform.tfvars
└── modules/
├── networking/
├── compute/
└── storage/
The environment includes Terragrunt for managing Terraform configurations:
# Initialize Terragrunt
terragrunt init
# Plan changes
terragrunt plan -out=tfplan
# Apply changes
terragrunt apply tfplan# Basic authentication
.devcontainer/scripts/aws-auth.sh
# Authentication with profile
.devcontainer/scripts/aws-auth.sh --profile myprofile
# Authentication with region
.devcontainer/scripts/aws-auth.sh --region us-west-2
# Authentication with SSO
.devcontainer/scripts/aws-auth.sh --sso# Basic authentication (interactive)
.devcontainer/scripts/azure-auth.sh
# Authentication with subscription
.devcontainer/scripts/azure-auth.sh --subscription 00000000-0000-0000-0000-000000000000
# Authentication with service principal
.devcontainer/scripts/azure-auth.sh \
--service-principal \
--tenant 00000000-0000-0000-0000-000000000000 \
--client-id 00000000-0000-0000-0000-000000000000 \
--client-secret "your-client-secret"# Basic authentication (interactive)
.devcontainer/scripts/gcp-auth.sh
# Authentication with project
.devcontainer/scripts/gcp-auth.sh --project my-project-id
# Authentication with service account key
.devcontainer/scripts/gcp-auth.sh --credentials /path/to/service-account-key.jsonpre-commit install# Run on all files
pre-commit run --all-files
# Run specific hook
pre-commit run terraform_fmt --all-filesterraform_fmt: Format Terraform filesterraform_validate: Validate Terraform filesterraform_docs: Generate documentation for Terraform modulesterraform_tflint: Run TFLintterraform_tfsec: Run TFSecterraform_checkov: Run Checkovshellcheck: Check shell scriptsgitleaks: Detect secrets in code
- Press
Ctrl+Shift+P(orCmd+Shift+Pon macOS) - Select "Tasks: Run Task"
- Choose the task you want to run
- Terraform: Init - Initialize a Terraform working directory
- Terraform: Plan - Generate and show an execution plan
- Terraform: Apply - Build or change infrastructure
- Terraform: Destroy - Destroy Terraform-managed infrastructure
- Terraform: Validate - Validate the Terraform files
- Terraform: Format - Rewrite Terraform configuration files to canonical format
- TFLint: Run - Run TFLint for static analysis
- TFSec: Run - Run TFSec for security scanning
- Checkov: Run - Run Checkov for compliance checks
- Pre-commit: Run All Hooks - Run all pre-commit hooks
- AWS: Login - Login to AWS
- Azure: Login - Login to Azure
- GCP: Login - Login to GCP
- HashiCorp Terraform
- Azure Terraform
- Terraform doc snippets
- YAML support
- Git integration (GitLens, Git Graph, Git History)
- Remote Containers
- Code Spell Checker
- Markdown All in One
- And more...
Edit .devcontainer/config/terraform.env to customize environment variables:
# Terraform Configuration
TF_PLUGIN_CACHE_DIR=/home/vscode/.terraform.d/plugin-cache
TF_CLI_ARGS_init="--upgrade"
TF_CLI_ARGS_plan="-compact-warnings"
TF_CLI_ARGS_apply="-compact-warnings"
# TF_LOG=DEBUG
# AWS Provider Configuration
AWS_PROFILE=default
AWS_REGION=us-west-2
AWS_SDK_LOAD_CONFIG=1
# Azure Provider Configuration
ARM_SUBSCRIPTION_ID=your-subscription-id
ARM_TENANT_ID=your-tenant-id
ARM_CLIENT_ID=your-client-id
ARM_CLIENT_SECRET=your-client-secret
# GCP Provider Configuration
GOOGLE_APPLICATION_CREDENTIALS=/home/vscode/.config/gcloud/application_default_credentials.json
CLOUDSDK_CORE_PROJECT=your-project-idEdit .tflint.hcl to customize TFLint rules:
# Enable or disable specific rules
rule "terraform_deprecated_interpolation" {
enabled = true
}
rule "terraform_unused_declarations" {
enabled = true
}
# Add custom rules
rule "terraform_naming_convention" {
enabled = true
format = "snake_case"
}To add custom tools, create a new script in .devcontainer/library-scripts/ and update the Dockerfile:
# Install custom tool
COPY library-scripts/custom-tool.sh /tmp/library-scripts/
RUN chmod +x /tmp/library-scripts/custom-tool.sh
RUN /tmp/library-scripts/custom-tool.sh- Never commit credentials: Use environment variables or credential helpers
- Regularly rotate credentials: Especially for service accounts
- Use least privilege: Grant only the permissions needed
- Enable MFA: Use multi-factor authentication for cloud providers
- Scan for secrets: Use pre-commit hooks to detect secrets
- Use modules: Organize code into reusable modules
- Version pinning: Pin provider and module versions
- Use remote state: Store state in a remote backend
- Use variables: Parameterize your configurations
- Document your code: Use terraform-docs to generate documentation
- Use branches: Create feature branches for changes
- Run pre-commit hooks: Validate code before committing
- Review plans: Always review Terraform plans before applying
- Use workspaces or environments: Separate development, staging, and production
- Automate testing: Use automated testing for Terraform code
Issue: Unable to authenticate with cloud provider Solution: Check your credentials and ensure they are properly configured
# Check AWS credentials
aws sts get-caller-identity
# Check Azure credentials
az account show
# Check GCP credentials
gcloud auth listIssue: Terraform init fails Solution: Check your backend configuration and credentials
# Initialize with debug logging
TF_LOG=DEBUG terraform initIssue: Terraform plan/apply fails Solution: Check your provider configuration and credentials
# Plan with debug logging
TF_LOG=DEBUG terraform planIssue: Container fails to build Solution: Check Docker logs and ensure Docker has enough resources
# Check Docker logs
docker logs <container-id>Issue: Volume mounts not working Solution: Check permissions and ensure the directories exist on the host
# Check permissions
ls -la ~/.aws ~/.azure ~/.config/gcloud ~/.sshIf you encounter issues not covered in this guide, please:
- Check the documentation for the specific tool
- Search for the error message online
- Check the GitHub issues for this project
- Reach out to the community for help