How to configure environment variables in Hashicorp Terraform

Question

I'm quite new to Terraform, though I have gone through all of the instructional modules available on Hashicorp's site.

Currently, I'm struggling with understanding how to set up environment variables. I know how to reference variables in the main.tf config (access_key = "${var.access_key}"), and I know how to save that access key to a separate file and reference that, but what I don't understand (and can't find any documentation/instruction on) is how to set up environment variables so I don't have to save the access key to a file.

Does anyone know how best to go about doing this?

score 18 · Answer 1 · answered Mar 11 '19 at 15:09

Terraform can infer the following environment variables for AWS

export AWS_ACCESS_KEY_ID="anaccesskey"
export AWS_SECRET_ACCESS_KEY="asecretkey"

Ref: https://www.terraform.io/docs/providers/aws/#environment-variables

But I would suggest trying the AWS Profile. You can add credentials to ~/.aws/credentials file like

[myprofile]
aws_access_key_id     = anaccesskey
aws_secret_access_key = asecretkey

and then you can set environment variable export AWS_PROFILE=myprofile. Now, if you run terraform from this shell, it should pick credentials listed under myprofile.

Also, you can have you AWS Provider code as follows:

provider "aws" {
  profile = "myprofile"
  region  = "${var.region}"
}

In my experience, interacting with AWS using profile is easy and better than setting environment variables on each shell.

You can refer an example here https://github.com/pradeepbhadani/tf-examples/blob/master/ex2/provider.tf

Hope this helps.

Thanks for providing these suggestions. I am trying to get this working in Azure though, just as a proof of concept. I might take a look at AWS Vault at some point in the future. — Neal, Mar 12 '19 at 16:55

ydaetskcoR · Answer 2 · 2019-03-07T20:32:44.220

8

Some providers all you to set provider credentials/configuration via environment variables directly. For example, in the case of the AWS provider you can use the AWS SDK environment variables as mentioned in the AWS provider documentation:

You can provide your credentials via the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, environment variables, representing your AWS Access Key and AWS Secret Key, respectively.

With example usage shown as:

$ export AWS_ACCESS_KEY_ID="anaccesskey"
$ export AWS_SECRET_ACCESS_KEY="asecretkey"
$ export AWS_DEFAULT_REGION="us-west-2"
$ terraform plan

For the Azure provider most of the provider config can be set by environment variables without needing to be defined in the provider configuration:

$ export ARM_CLIENT_ID="aclientid"
$ export ARM_SUBSCRIPTION_ID="asubscriptionid"
$ export ARM_TENANT_ID="atenantid"
$ terraform plan

In the more general case, Terraform will automatically load any defined variables that are prefixed with TF_VAR_.

So if you have something like this:

variable "foo" {}

You can set the value by exporting the TF_VAR_foo environment variable:

export TF_VAR_foo=bar

edited Mar 07 '19 at 20:32

answered Mar 07 '19 at 20:24

ydaetskcoR

53,225
8
158
177

Thanks for the quick response! Just to provide a bit more detail, I am using the AzureRM Provider, and for reference, here is some of my main.tf configuration: provider "azurerm" { version = "=1.20.0" access_key = "${var.access_key}" region = "${var.region}" } This is my variables.tf config file: variable "access_key" {} variable "region" { default = "eastus" } I... guess I am still uncertain how to go about assigning my access key to the ${var.access_key} variable. I must be missing something. Sorry for being dense! – Neal Mar 07 '19 at 20:35
Also apologies, not sure how to get formatting to cooperate for these comments! – Neal Mar 07 '19 at 20:35
The Azure provider doesn't take an `access_key` parameter. It's probably worth reading the [AzureRM provider docs](https://www.terraform.io/docs/providers/azurerm/) quickly to get a better understanding of how to use it. – ydaetskcoR Mar 07 '19 at 20:44
Ah, that makes sense. Perhaps I am actually phrasing my question incorrectly. So, reference this article (https://learn.microsoft.com/en-us/azure/terraform/terraform-backend), that is basically what I am trying to do. I'm just trying to get the Azure Storage account access key stored in Azure Key Vault, and I am not able to get the export ARM_ACCESS_KEY= command to run correctly. – Neal Mar 07 '19 at 21:51
It seems like you're doing two different things. Remove any reference to 'access_key' from your tf files and then try running `export ARM_ACCESS_KEY=` before `tf plan` – Stefan R Mar 08 '19 at 10:56
So, I tried that out, but I am unable to run the export export ARM_ACCESS_KEY= command. It says 'export' is not recognized as an internal or external command, operable program or batch file. Any ideas on how to get this to cooperate? – Neal Mar 12 '19 at 16:54
If you do not have the `export` command then you're probably on Windows which means you need to use the `set` command. The full command you want to use is `set ARM_ACCESS_KEY=""` on `cmd` prompt or `$env:ARM_ACCESS_KEY=""` https://www.shellhacks.com/windows-set-environment-variable-cmd-powershell/ – SomeGuyOnAComputer Oct 01 '19 at 17:38

score 3 · Answer 3 · answered Oct 25 '19 at 20:51

when I started learning tf, I have used a terraform.tfvars file where in I put:

aws_access_key="myaccesskey"
aws_secret_key="mysecertkey"
region='aws-region'

in main.tf:


variable "aws_access_key" {}
variable "aws_secret_key" {}
variable "private_key_path" {}

provider "aws" {
  access_key = var.aws_access_key
  secret_key = var.aws_secret_key
  region     = var.region
}

making sure, both files in the same dir.

then I started using env varibles in Mac:

$ export AWS_ACCESS_KEY_ID="AWS_ACCESS_KEY_ID"
$ export AWS_SECRET_ACCESS_KEY="AWS_SECRET_ACCESS_KEY"
$ terraform plan

using profile, ~/.aws/credentials

aws configure
AWS Access Key ID: yourID
AWS Secret Access Key: yourSecert
Default region name : aws-region
Default output format : env

I hope it helps!

good luck, terraform is an amazing thing to learn!

score 1 · Answer 4 · answered Oct 01 '19 at 09:05

The Terraform way of using environment variables and thus arbitrary values for all good things Terraform are by prefixing any environment variable with TF_VAR_ and then Terraform will automagically use it.

For your specific use case this would mean, that you can set the Terraform variable access_key by setting the **environment* variable TF_VAR_access_key.

This technique is built-in into Terraform itself and is thus independent from any specific provider.

Documentation can be found at https://www.terraform.io/docs/commands/environment-variables.html#tf_var_name it works also for older Terraform version (I've tested it with 0.11).

How to configure environment variables in Hashicorp Terraform

4 Answers4

Linked