SaFi Bank Space : Terraform State Sharing

Created by Ondřej Wantula, last modified on Nov 24, 2022

We use sharing of remote state to get some variables, across different workspaces.

Dispatcher:

The state sharing for dispatcher is configured manually by TFC Owners/Admins in the Dispatcher workspace. The main usage for this is to be able to create network connections.

One of the consumers for example is tf-environments.

data "terraform_remote_state" "dispatcher" {
  backend = "remote"

  config = {
    organization = "safi"
    workspaces = {
      name = "dispatcher"
    }
  }

  gcp_project_names = data.terraform_remote_state.dispatcher.outputs.gcp_project_names
  gcp_project_sa    = data.terraform_remote_state.dispatcher.outputs.gcp_project_sa

Common (tf-environments):

The sharing of the state of the common(environment) workspace, is setup in dispatcher workspace in 20_environments.tf

  remote_state_consumer_ids = concat(
    [module.data_environment_tfe_workspace[format("%s-data", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-vpn-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-monitor-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-cloud-composer-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-hcvault-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-tms-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-data-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-data-config", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-tyk-a-infra", each.key)].workspace_id],
    [module.environment_tfe_workspace_new[format("%s-applications-infra", each.key)].workspace_id]
  )


This is used to share the shared_vpc.id for creation of GKE and other resources in additional projects.

Code from tf_environments in outputs.tf

# -----------------------------------------------
output "google_shared_vpc_network_id"{
  value = google_compute_network.shared_vpc.id
}

output "google_shared_vpc_network_name"{
  value = google_compute_network.shared_vpc.name
}

output "google_private_vpc_connection_id" {
  value = google_service_networking_connection.private_vpc_connection.id
}

# -----------------------------------------------
output "google_shared_vpc_subnetwork_vpn_id"{
  value = google_compute_subnetwork.k8s["vpn"].id
}

Code from tf-env-vpn-infra:

in main.tf we have this which enables us to access the outputs of the common environment workspace.

data "terraform_remote_state" "common_workspace" {
  backend = "remote"

  config = {
    organization = "safi"
    workspaces = {
      name = "safi-env-${var.env_name}"
      #name = format("safi-%s", var.env_name)
    }
  }
}

it’s then utilized in vpn_gke.tf

  network                = data.terraform_remote_state.common_workspace.outputs.google_shared_vpc_network_id
  subnet                 = data.terraform_remote_state.common_workspace.outputs.google_shared_vpc_subnetwork_vpn_id

Troubleshooting:

The main problems that might happen when you are sharing states, is that you don’t set the consumer permissions, that will give you a terraform error and it’s easy to fix.