Workspace Variables and Settings in HCP Terraform
Why Workspace Variables and Settings Matter
Workspace variables and settings are fundamental to managing infrastructure configurations in HCP Terraform. They allow teams to customize Terraform runs, manage sensitive data securely, and maintain consistency across different environments. Understanding these concepts is crucial for the Terraform Associate exam and real-world infrastructure management.
What Are Workspace Variables?
Workspace variables in HCP Terraform are values that can be passed to Terraform configurations during plan and apply operations. There are two primary types:
1. Terraform Variables
These correspond to input variables defined in your Terraform configuration (variables declared with the variable block). They are passed to Terraform using the -var flag equivalent.
2. Environment Variables
These are shell environment variables available during Terraform execution. They are commonly used for:
- Provider authentication (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
- Configuring Terraform behavior (e.g., TF_LOG for debugging)
- Setting provider-specific configurations
How Workspace Variables Work
When you configure variables in an HCP Terraform workspace:
1. Variable Definition: You define variables through the UI, API, or by uploading a variables file
2. Sensitive Marking: Variables can be marked as sensitive, which encrypts them and prevents them from being displayed in logs or the UI
3. Variable Precedence: Workspace variables can override values set in terraform.tfvars files or variable defaults
4. Execution: During a Terraform run, HCP Terraform injects these variables into the execution environment
Key Workspace Settings
Execution Mode:
- Remote: Terraform runs execute on HCP Terraform's infrastructure
- Local: Terraform runs execute on your local machine while state is stored remotely
- Agent: Runs execute on self-hosted agents within your infrastructure
Auto Apply:
When enabled, successful plans are applied automatically. When turned off, plans require manual approval before applying.
Terraform Version:
Specifies which version of Terraform to use for runs in the workspace.
Working Directory:
Defines the directory containing the Terraform configuration files when your repository has multiple configurations.
Variable Categories and Scope
- Workspace Variables: Apply only to a specific workspace
- Variable Sets: Collections of variables that can be applied to multiple workspaces, useful for sharing common configurations like provider credentials across projects
Sensitive Variables
Sensitive variables are:
- Encrypted at rest
- Write-only (cannot be read after creation)
- Masked in plan and apply logs
- Essential for storing credentials and secrets
Exam Tips: Answering Questions on Workspace Variables and Settings
1. Know the Two Variable Types: Remember that Terraform variables map to your configuration's input variables, while environment variables are for shell-level settings and provider authentication.
2. Understand Sensitive Variable Behavior: Sensitive variables cannot be viewed after being set. They appear as write-only values. This is a common exam topic.
3. Variable Precedence: Workspace variables take precedence over terraform.tfvars files. Understanding this order is frequently tested.
4. Variable Sets vs Workspace Variables: Know that variable sets allow sharing variables across multiple workspaces, making them ideal for organization-wide credentials.
5. Execution Modes: Be clear on the differences between remote, local, and agent execution modes. Remote is the default and runs on HCP Terraform infrastructure.
6. Auto Apply Setting: Remember that auto apply is turned off by default for safety. Manual confirmation is required unless explicitly enabled.
7. Environment Variable Prefix: For Terraform variables set via environment variables, remember they must be prefixed with TF_VAR_ followed by the variable name.
8. Common Exam Scenarios: Questions often present scenarios about storing provider credentials securely (use sensitive environment variables) or sharing configurations across workspaces (use variable sets).