Terraform Cloud lets you define input and environment variables using either workspace-specific variables, or sets of variables that you can reuse in multiple workspaces. Variable sets allow you to avoid redefining the same variables across workspaces, so you can standardize common configurations throughout your organization. One common use case for variable sets is for provider credentials. By defining a variable set for your credentials, you can easily reuse the same variables across multiple workspaces and efficiently and securely rotate your credentials.
In this tutorial, you will create a variable set for your AWS credentials.
This tutorial requires:
You can define both input variables and environment variables in variable sets. Input variables define the values for variables you reference in your configuration, while environment variables typically store provider credentials or modify Terraform's behavior, such as logging verbosity.
To create a variable set, navigate to your organization's Settings, then to Variable sets.
Next, click Create variable set.
Name the variable set "AWS Credentials".
You can apply a variable set to all workspaces in your organization, or scope it to specific ones. When using variable sets with credentials, reuse the variable set with care and avoid the global option, since it does not follow least privilege best practices.
If you created an organization just for HashiCorp tutorials, select Apply to all workspaces in this organization as the workspace scope.
If you run HashiCorp tutorials in an organization that also contains other workspaces, or would prefer to keep your variable set scoped, select Apply to specific workspaces and leave the workspace blank. You can assign a variable set to a workspace through a specific workspace's variables page.
Next, define your AWS credentials as environment variables. Use an existing Access key ID and Secret access key or create a new pair in the IAM console.
Click +Add Variable. Select the Environment variable option. Set the
AWS_ACCESS_KEY_ID and the value to your AWS Access Key ID. Mark
it as Sensitive and click Add variable.
Marking a variable as sensitive prevents Terraform from displaying it in the Terraform Cloud UI and makes the variable write-only.
Now, click + Add Variable again. Define another environment variable named
AWS_SECRET_ACCESS_KEY and set it to your AWS Secret access key. Mark it
as Sensitive and click Add variable.
If you have temporary AWS credentials, you must also add your
AWS_SESSION_TOKEN as an environment variable.
Now click Create variable set.
Terraform Cloud now lists your new variable set on the Variable Sets page. It also shows the number of variables it contains and indicates that the set applies to all workspaces, since you selected the global scope.
In this tutorial, you created a global variable set. To learn more about variable sets, review the variable sets documentation.
Next, you will create and configure a Terraform Cloud workspace.