{"id":23902691,"url":"https://github.com/mtumilowicz/terraform-remotebackend-workspaces-aws-workshop","last_synced_at":"2026-05-04T23:34:31.529Z","repository":{"id":110879585,"uuid":"416872916","full_name":"mtumilowicz/terraform-remotebackend-workspaces-aws-workshop","owner":"mtumilowicz","description":"Introduction to advanced terraform features: remote backends, workspaces and aws context.","archived":false,"fork":false,"pushed_at":"2024-03-19T18:30:38.000Z","size":139,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-23T10:44:18.721Z","etag":null,"topics":["aws","devops","infrastructure-as-code","terraform","terraform-aws","terraform-live","terraform-managed","terraform-modules","terraform-project","terraform-provider","terraform-remote","terraform-state","workshop","workshop-materials"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mtumilowicz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-10-13T19:29:48.000Z","updated_at":"2021-10-31T17:57:14.000Z","dependencies_parsed_at":"2024-03-09T23:15:54.852Z","dependency_job_id":null,"html_url":"https://github.com/mtumilowicz/terraform-remotebackend-workspaces-aws-workshop","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mtumilowicz/terraform-remotebackend-workspaces-aws-workshop","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mtumilowicz","download_url":"https://codeload.github.com/mtumilowicz/terraform-remotebackend-workspaces-aws-workshop/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261314946,"owners_count":23140176,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","devops","infrastructure-as-code","terraform","terraform-aws","terraform-live","terraform-managed","terraform-modules","terraform-project","terraform-provider","terraform-remote","terraform-state","workshop","workshop-materials"],"created_at":"2025-01-04T22:49:55.582Z","updated_at":"2026-05-04T23:34:26.486Z","avatar_url":"https://github.com/mtumilowicz.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\n# terraform-workshop\n* references\n    * https://discuss.hashicorp.com/t/terraform-0-14-the-dependency-lock-file/15696\n    * https://medium.com/@business_99069/terraform-count-vs-for-each-b7ada2c0b186\n    * https://hub.docker.com/r/danjellz/http-server\n    * https://discuss.hashicorp.com/t/validate-list-object-variables/18291/2\n    * https://github.com/morethancertified/mtc-terraform\n    * https://github.com/edgar-anascimento/terraform-localstack-setup\n    * [[#122​] Terraform i AWS - odtwarzalna infrastruktura w 10 minut - Maciej Rostański](https://www.youtube.com/watch?v=87wIafVYK9I)\n    * [When Terraform alone isn't enough - Marcin Żbik](https://www.youtube.com/watch?v=nR1U9sdcR3k)\n    * [Version-Controlled Infrastructure with GitHub \u0026 Terraform with Seth Vargo](https://www.youtube.com/watch?v=2TWqi7dLSro)\n    * [[#128​] Infrastructure as a Code - AWS + Terraform + Ansible - Daniel Kossakowski](https://www.youtube.com/watch?v=BSHpZcy-BAo)\n    * [DevOps Crash Course (Docker, Terraform, and Github Actions)](https://www.youtube.com/watch?v=OXE2a8dqIAI)\n    * [Terraform Course - Automate your AWS cloud infrastructure](https://www.youtube.com/watch?v=SLB_c_ayRMo)\n    * [Terraform for AWS - Beginner to Expert 2021 (0.12)](https://www.udemy.com/course/terraform-fast-track)\n    * [Learn DevOps: Infrastructure Automation With Terraform](https://www.udemy.com/course/learn-devops-infrastructure-automation-with-terraform)\n    * [More than Certified in Terraform](https://www.udemy.com/course/terraform-certified/)\n    * [Terraform in Action](https://www.manning.com/books/terraform-in-action)\n    * https://www.packer.io/intro\n    * https://www.terraform.io/docs\n    * https://acloudguru.com/hands-on-labs/exploring-terraform-state-functionality\n    * https://www.andreagrandi.it/2017/08/25/getting-latest-ubuntu-ami-with-terraform/\n    * https://learn.hashicorp.com/tutorials/terraform\n    * https://pilotcoresystems.com/insights/what-are-terraform-workspaces\n    * https://medium.com/@diogok/terraform-workspaces-and-locals-for-environment-separation-a5b88dd516f5\n    * https://shanidgafur.github.io/blog/terraform-workspaces-for-multi-region-deployment\n\n## preface\n* goals of this workshop\n    * remote backends\n    * workspaces\n    * aws with localstack\n    * secrets management\n* plan for the workshop\n    * preliminary: https://github.com/mtumilowicz/terraform-basics-modules-workshop\n    * fill the scaffolds and follow the hints in directories:\n        1. pt1_remotebackend\n        1. pt2_workspaces\n        1. pt3_aws\n    * note that `docker provider` differs for unix and windows os:\n        ```\n        provider \"docker\" {\n          // host = \"unix:///var/run/docker.sock\" // macos\n          // host = \"npipe:////.//pipe//docker_engine\" // windows\n        }\n        ```\n        you should uncomment appropriate one\n\n## remote backend\n* in short: where state is stored\n    * example: local or S3\n* when using a non-local backend, terraform will not persist the state anywhere on disk\n    * major benefit: no sensitive values persisted to disk\n    * remark: when writing state to the backend fails - terraform will write the state locally\n* major benefit: keep sensitive information off disk\n    * for example: when you create a database, the initial database password will be in the state file\n* increases security\n    * for example: s3 supports encryption at rest, authentication \u0026 authorization\n\n## workspaces\n* allows to create different and independent states on the same configuration\n* equivalent of renaming state file\n    * when working in one workspace, changes will not affect resources in another workspace\n* initially the backend has only one workspace: \"default\"\n* use-cases\n    * testing\n        * for example: a new temporary workspace to freely experiment with changes without affecting the default workspace\n    * multi-region deployment\n        ```\n        provider \"aws\" {\n         region = \"${terraform.workspace}\"\n        }\n        ```\n* workspaces alone are not a suitable tool for system decomposition\n    * cannot be used for a \"fully isolated\" setup for multiple environments (staging / testing / prod)\n    * each subsystem should have its own separate configuration and backend (complete separation)\n        * for complete isolation, it's best to create multiple AWS accounts, and use one account for dev, another\n        for prod, and a third one for billing\n\n## secrets management\n* terraform handles a lot of secrets - more than most people realize\n    * example: database passwords, personal identification information (PII), encryption keys...\n    * sensitive information will inevitably find its way into Terraform no matter what you do\n        * you should treat the state file as sensitive and secure it accordingly\n            * gate who has access to it\n            * encryption at rest\n            * encrypting data in transit (SSL/TLS)\n            * most of it enabled by default for S3\n* all sensitive data is put in the state file (stored as plaintext JSON)\n* only three configuration blocks can store stateful information (sensitive or otherwise)\n    * resources\n    * data sources\n    * and output values\n    * other kinds of configuration blocks do not store stateful data\n        * but may leak sensitive information in other ways\n        * at least: not saving sensitive information to the state file\n* example\n    * https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance\n    ```\n    resource \"aws_db_instance\" \"default\" {\n      allocated_storage    = 10\n      engine               = \"mysql\"\n      engine_version       = \"5.7\"\n      instance_class       = \"db.t3.micro\"\n      name                 = \"mydb\"\n      username             = \"foo\" // required\n      password             = \"foobarbaz\" // required\n      parameter_group_name = \"default.mysql5.7\"\n      skip_final_snapshot  = true\n    }\n    ```\n* static secrets\n    * are sensitive values that do not change (at least not often)\n    * in general: most secrets\n    * two major ways to pass static secrets into Terraform\n        * as environment variables\n            * should be used whenever possible\n            * example: aws-vault\n            * digression: in RDS database you have to set username and password as Terraform variables - there is no\n            option for environment variables\n        * as Terraform variables (a very bad idea)\n            * example\n                ```\n                provider \"aws\" {\n                  region = \"us-west-2\"\n                  access_key = var.access_key // required, but can be sourced from the AWS_ACCESS_KEY_ID environment variable\n                  secret_key = var.secret_key // required, but can be sourced from the AWS_SECRET_ACCESS_KEY environment variable\n                }\n                ```\n    * sensitive variables can be defined by setting the sensitive argument to true\n        * example\n            ```\n            variable \"db_username\" {\n              description = \"Database administrator username\"\n              type        = string\n              sensitive   = true\n            }\n            ```\n        * appear in state but are redacted from CLI output\n        * prevents users from accidentally exposing secrets but does not stop motivated individuals\n            * you could just redirects var.db_username to local _file\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtumilowicz%2Fterraform-remotebackend-workspaces-aws-workshop/lists"}