Create a CI/CD pipeline to validate Terraform configurations by using AWS CodePipeline
Aromal Raj Jayarajan and Vijesh Vijayakumaran Nair, Amazon Web Services
Summary
Notice: AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. Learn more
This pattern shows how to test HashiCorp Terraform configurations by using a continuous integration and continuous delivery (CI/CD) pipeline deployed by AWS CodePipeline.
Terraform is a command-line interface application that helps you use code to provision and manage cloud infrastructure and resources. The solution provided in this pattern creates a CI/CD pipeline that helps you validate the integrity of your Terraform configurations by running five CodePipeline stages:
- "checkout"pulls the Terraform configuration that you’re testing from an AWS CodeCommit repository.
- "validate"runs infrastructure as code (IaC) validation tools, including tfsec- , TFLint - , and checkov - . The stage also runs the following Terraform IaC validation commands: - terraform validateand- terraform fmt.
- "plan"shows what changes will be applied to the infrastructure if the Terraform configuration is applied.
- "apply"uses the generated plan to provision the required infrastructure in a test environment.
- "destroy"removes the test infrastructure that was created during the- "apply"stage.
Prerequisites and limitations
Prerequisites
- An active AWS account 
- AWS Command Line Interface (AWS CLI), installed and configured 
- Git - , installed and configured on your local machine 
- Terraform - , installed and configured on your local machine 
Limitations
- This pattern’s approach deploys AWS CodePipeline into one AWS account and AWS Region only. Configuration changes are required for multi-account and multi-Region deployments. 
- The AWS Identity and Access Management (IAM) role that this pattern provisions (codepipeline_iam_role) follows the principle of least privilege. This IAM role’s permissions must be updated based on the specific resources that your pipeline needs to create. 
Product versions
- AWS CLI version 2.9.15 or later 
- Terraform version 1.3.7 or later 
Architecture
Target technology stack
- AWS CodePipeline 
- AWS CodeBuild 
- AWS CodeCommit 
- AWS IAM 
- Amazon Simple Storage Service (Amazon S3) 
- AWS Key Management Service (AWS KMS) 
- Terraform 
Target architecture
The following diagram shows an example CI/CD pipeline workflow for testing Terraform configurations in CodePipeline.

The diagram shows the following workflow:
- In CodePipeline, an AWS user initiates the actions proposed in a Terraform plan by running the - terraform applycommand in the AWS CLI.
- AWS CodePipeline assumes an IAM service role that includes the policies required to access CodeCommit, CodeBuild, AWS KMS, and Amazon S3. 
- CodePipeline runs the - "checkout"pipeline stage to pull the Terraform configuration from an AWS CodeCommit repository for testing.
- CodePipeline runs the - "validate"stage to test the Terraform configuration by running IaC validation tools and running Terraform IaC validation commands in a CodeBuild project.
- CodePipeline runs the - "plan"stage to create a plan in the CodeBuild project based on the Terraform configuration. The AWS user can review this plan before the changes are applied to the test environment.
- Code Pipeline runs the - "apply"stage to implement the plan by using the CodeBuild project to provision the required infrastructure in the test environment.
- CodePipeline runs the - "destroy"stage, which uses CodeBuild to remove the test infrastructure that was created during the- "apply"stage.
- An Amazon S3 bucket stores pipeline artifacts, which are encrypted and decrypted by using an AWS KMS customer managed key. 
Tools
Tools
AWS services
- AWS CodePipeline helps you quickly model and configure the different stages of a software release and automate the steps required to release software changes continuously. 
- AWS CodeBuild is a fully managed build service that helps you compile source code, run unit tests, and produce artifacts that are ready to deploy. 
- AWS CodeCommit is a version control service that helps you privately store and manage Git repositories, without needing to manage your own source control system. 
- AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them. 
- AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data. 
- Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. 
Other services
- HashiCorp Terraform - is a command-line interface application that helps you use code to provision and manage cloud infrastructure and resources. 
Code
The code for this pattern is available in the GitHub aws-codepipeline-terraform-cicdsamples
Epics
| Task | Description | Skills required | 
|---|---|---|
| Clone the GitHub repository. | Clone the GitHub aws-codepipeline-terraform-cicdsamples 
 For more information, see Cloning a repository | DevOps engineer | 
| Create a Terraform variable definitions file. | Create a  For more information, see Assigning values to root module variables NoteThe repository’s  | DevOps engineer | 
| Configure AWS as the Terraform provider. | 
 For more information, see AWS provider | DevOps engineer | 
| Update the Terraform provider configuration for creating the Amazon S3 replication bucket. | 
 NoteReplication activates automatic, asynchronous copying of objects across Amazon S3 buckets. | DevOps engineer | 
| Initialize the Terraform configuration. | To initialize your working directory that contains the Terraform configuration files, run the following command in the cloned repository’s root folder: 
 | DevOps engineer | 
| Create the Terraform plan. | To create a Terraform plan, run the following command in the cloned repository’s root folder: 
 NoteTerraform evaluates the configuration files to determine the target state for the declared resources. It then compares the target state against the current state and creates a plan. | DevOps engineer | 
| Verify the Terraform plan. | Review the Terraform plan and confirm that it configures the required architecture in your target AWS account. | DevOps engineer | 
| Deploy the solution. | 
 NoteTerraform creates, updates, or destroys infrastructure to achieve the target state declared in the configuration files. | DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Set up the source code repository. | 
 | DevOps engineer | 
| Validate the pipeline stages. | 
 For more information, see View pipeline details and history (console) in the AWS CodePipeline User Guide. ImportantWhen a change is committed to the main branch of the source repository, the test pipeline is activated automatically. | DevOps engineer | 
| Verify the report output. | 
 NoteThe  | DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Clean up the pipeline and associated resources. | To delete the test resources from your AWS account, run the following command in the cloned repository’s root folder: 
 | DevOps engineer | 
Troubleshooting
| Issue | Solution | 
|---|---|
| You receive an AccessDenied error during the  | 
 | 
Related resources
- Module blocks - (Terraform documentation) 
- How to use CI/CD to deploy and configure AWS security services with Terraform - (AWS blog post) 
- Using service-linked roles (IAM documentation) 
- create-pipeline - (AWS CLI documentation) 
- Configure server-side encryption for artifacts stored in Amazon S3 for CodePipeline (AWS CodePipeline documentation) 
- Quotas for AWS CodeBuild (AWS CodeBuild documentation) 
- Data protection in AWS CodePipeline (AWS CodePipeline documentation) 
Additional information
Custom Terraform modules
The following is a list of custom Terraform modules that are used in this pattern:
- codebuild_terraformcreates the CodeBuild projects that form each stage of the pipeline.
- codecommit_infrastructure_source_repocaptures and creates the source CodeCommit repository.
- codepipeline_iam_rolecreates the required IAM roles for the pipeline.
- codepipeline_kmscreates the required AWS KMS key for Amazon S3 object encryption and decryption.
- codepipeline_terraformcreates the test pipeline for the source CodeCommit repository.
- s3_artifacts_bucketcreates an Amazon S3 bucket to manage pipeline artifacts.
Build specification files
The following is a list of build specification (buildspec) files that this pattern uses to run each pipeline stage:
- buildspec_validate.ymlruns the- "validate"stage.
- buildspec_plan.ymlruns the- "plan"stage.
- buildspec_apply.ymlruns the- "apply"stage.
- buildspec_destroy.ymlruns the- "destroy"stage.
Build specification file variables
Each buildspec file uses the following variables to activate different build-specific settings:
| Variable | Default value | Description | 
|---|---|---|
| 
 | "." | Defines the source CodeCommit directory | 
| 
 | "1.3.7" | Defines the Terraform version for the build environment | 
The buildspec_validate.yml file also supports the following variables to activate different build-specific settings:
| Variable | Default value | Description | 
|---|---|---|
| 
 | "./templates/scripts" | Defines the script directory | 
| 
 | "dev" | Defines the environment name | 
| 
 | "Y" | Skips validation on failures | 
| 
 | "Y" | Activates Terraform validate | 
| 
 | "Y" | Activates Terraform format | 
| 
 | "Y" | Activates checkov scan | 
| 
 | "Y" | Activates tfsec scan | 
| 
 | "v1.28.1" | Defines the tfsec version |