Terraform steps

I wanted to check on the availability of using an Azure subscription with the built in terraform steps. Right now I’m using the Azure Powershell step template to gain access to the subscription values, but the native step has some features I’d like to make use of. While you’re at it, why not open source the step. I have a few other things I’d love to see in there and would be happy to contribute.

Also, if you’ve put together a .net or powershell HCL parser and want to open source that as well I’d certainly be interested. Otherwise I’ll be putting something together myself.

Thanks a bunch!


Thanks for getting in touch.

We do have plans to extend the terraform steps to include other cloud platforms such as Azure, and while there’s no ETA on that at this time, that is part of our larger goal for this feature.

Unfortunately our built-in steps aren’t something we can easily open source, partly due to complexities around extensibility. With regards to our HCL parser, we’ll definitely consider making this open source (I’ve added it to our team’s backlog), but we’d most likely consider this move when we’re ready to integrate with additional platforms. At this point we’re interested in monitoring the feature’s usage on AWS, so we’re glad to hear about your interest in terraform with Azure :slight_smile:

Sorry we can’t be of more help at this stage, but we’re hopefully heading in the right direction at least.


Yeah, I definitely like the stuff you’ve done so far with the existing step templates. The integration with input and output variables is great. Do you have any suggestions on how I could get the existing steps to work with our Azure credentials? I’m packaging the .terraform folder with the backend already initialized on our build server.

So far I only put the storage account properties in the backend configuration and pass the Azure credentials into init at the command line. I recently did some work on the VSTS terraform extension to enhance the workflow with VSTS using an Azure backend. I’m obviously a bit biased, but I think extending the Octopus steps to have some of the same features would be great (passing in additional arguments, partial backend config, etc.).

Thanks for the feedback. I’ve added some notes to our internal card regarding Azure terraform so this won’t get forgotten.

Currently the built-in terraform steps shell out to the AWS cli on the Octopus Server, which sets some environment variables. Terraform cli then reads the environment variables specific for AWS, so we were thinking you may be able to script some user-level environment variables in an earlier step and trick it into using Azure instead, but the terraform step UI all revolves around an AWS variable defined in your project, so it starts getting quite complicated to sub-out AWS for Azure in this case. The Octopus step itself needs to provide those additional options. At this point our recommendation is to wait for first-class Azure terraform support, sorry :slight_smile:

Thanks for open sourcing the HCL parser. Haven’t pulled it down yet but I’m glad it’s there when I need it.

On the other hand, not having the first-class support for using terraform with azure is making life really difficult. We’re currently using the azure powershell step to make the azure subscription values available and loading them as environment variables to allow terraform to auth. That doesn’t help us too much since we’re now at the point where we’d really like to use octopus to pass in sensitive values and it seems like that would be very simple using the native steps. So far not simple using the azure powershell approach. Not sure if there would be any issues since you’re using the aws cli but in the azure powershell step it’s as simple as

$env:ARM_SUBSCRIPTION_ID = $OctopusParameters["Octopus.Action.Azure.SubscriptionId"]
$env:ARM_TENANT_ID = $OctopusParameters["Octopus.Action.Azure.TenantId"]
$env:ARM_CLIENT_ID = $OctopusParameters["Octopus.Action.Azure.ClientId"]
$env:ARM_CLIENT_SECRET = $OctopusParameters["Octopus.Action.Azure.Password"]

If injecting the azure values and loading them into the environment works I feel like that would be a super simple update and would help us out quite a bit. Thanks for your time.

I wanted to share my current work-around in case it can help anyone. I’m using the TF_VAR convention to get octopus variable values into terraform while using a template based on the the azure powershell step.

Code from the step looks like this:

Push-Location $PlanPath
Get-Variable TF_VAR* | %{Set-Item -Path "env:\$($_.Name)" -Value $_.Value}
$env:ARM_SUBSCRIPTION_ID = $OctopusParameters["Octopus.Action.Azure.SubscriptionId"]
$env:ARM_TENANT_ID = $OctopusParameters["Octopus.Action.Azure.TenantId"]
$env:ARM_CLIENT_ID = $OctopusParameters["Octopus.Action.Azure.ClientId"]
$env:ARM_CLIENT_SECRET = $OctopusParameters["Octopus.Action.Azure.Password"]

terraform apply -no-color -auto-approve

Then I can create variables that look like this and everything works appropriately.


Thanks for sharing your workaround and thanks for the feedback on Azure terraform. The team will be taking this into consideration when looking at this feature.

I also use a workaround, by adding an octopus_override.tf file in my script package with an automagic comment syntax that appears as comments when run locally but has values from octopus variables when run under Octopus. Then I put the Azure creds in a Azure account variable called AzureAccount and some backend config values in as well. From there I can just use the native Terraform Apply steps.

It looks like this:

/*  The following section is just a comment if invoked with 
 *  terraform, however after being proceesed by Octopus
 *  Deploy it will be uncommented and substitued. This
 *  allows octopus to apply subscription and backend config */

/* OCTOPUS ONLY *#{if AzureAccount}/#{/if}

  # Apply the AzureRM provider configuration for the Service Principal
  provider "azurerm" {
    subscription_id = "#{AzureAccount.SubscriptionNumber}"
    client_id       = "#{AzureAccount.Client}"
    client_secret   = "#{AzureAccount.Password}"
    tenant_id       = "#{AzureAccount.TenantId}"

  # Apply the backend config for Azure Storage Account
  terraform {
    backend "azurerm" {
      storage_account_name = "#{terraform.backend.storage_account_name}"
      container_name       = "#{terraform.backend.container_name}"
      key                  = "#{terraform.backend.key}"
      access_key           = "#{terraform.backend.access_key}"

1 Like