Infrastructure as Code with Terraform and GitLab (FREE)
With Terraform in GitLab, you can use GitLab authentication and authorization with your GitOps and Infrastructure-as-Code (IaC) workflows. Use these features if you want to collaborate on Terraform code within GitLab or would like to use GitLab as a Terraform state storage that incorporates best practices out of the box.
Integrate your project with Terraform
SAST test was introduced in GitLab 14.6.
In GitLab 14.0 and later, to integrate your project with Terraform, add the following
to your .gitlab-ci.yml
file:
include:
- template: Terraform.latest.gitlab-ci.yml
variables:
# If you do not use the GitLab HTTP backend, remove this line and specify TF_HTTP_* variables
TF_STATE_NAME: default
TF_CACHE_KEY: default
# If your terraform files are in a subdirectory, set TF_ROOT accordingly
# TF_ROOT: terraform/production
The Terraform.latest.gitlab-ci.yml
template:
- Uses the latest GitLab Terraform image.
- Uses the GitLab-managed Terraform state as the Terraform state storage backend.
- Creates four pipeline stages:
test
,validate
,build
, anddeploy
. These stages run the Terraform commandstest
,validate
,plan
,plan-json
, andapply
. Theapply
command only runs on the default branch. - Runs the Terraform SAST scanner,
that you can disable by creating a
SAST_DISABLED
environment variable and setting it to1
.
You can override the values in the default template by updating your .gitlab-ci.yml
file.
The latest template might contain breaking changes between major GitLab releases. For a more stable template, we recommend:
This video from January 2021 walks you through all the GitLab Terraform integration features:
GitLab-managed Terraform state
Terraform remote backends enable you to store the state file in a remote, shared store. GitLab uses the Terraform HTTP backend to securely store the state files in local storage (the default) or the remote store of your choice.
The GitLab-managed Terraform state backend can store your Terraform state easily and securely. It spares you from setting up additional remote resources like Amazon S3 or Google Cloud Storage. Its features include:
- Supporting encryption of the state file both in transit and at rest.
- Locking and unlocking state.
- Remote Terraform plan and apply execution.
Read more about setting up and using GitLab-managed Terraform states.
Terraform module registry
GitLab can be used as a Terraform module registry to create and publish Terraform modules to a private registry specific to your top-level namespace.
Terraform integration in merge requests
Collaborating around Infrastructure as Code (IaC) changes requires both code changes and expected infrastructure changes to be checked and approved. GitLab provides a solution to help collaboration around Terraform code changes and their expected effects using the merge request pages. This way users don't have to build custom tools or rely on 3rd party solutions to streamline their IaC workflows.
Read more on setting up and using the merge request integrations.
The GitLab Terraform provider
WARNING: The GitLab Terraform provider is released separately from GitLab. We are working on migrating the GitLab Terraform provider for GitLab.com.
You can use the GitLab Terraform provider to manage various aspects of GitLab using Terraform. The provider is an open source project, owned by GitLab, where everyone can contribute.
The documentation of the provider is available as part of the official Terraform provider documentation.
Create a new cluster through IaC (DEPRECATED)
Learn how to create a new cluster on Google Kubernetes Engine (GKE).
NOTE: The linked tutorial connects the cluster to GitLab through cluster certificates, and this method was deprecated in GitLab 14.5. You can still create a cluster through IaC and then connect it to GitLab through the agent, the default and fully supported method to connect clusters to GitLab.
Troubleshooting
See the troubleshooting documentation.