Announcing Coherence 2.0 and CNC, the first open source IaC framework
All posts

Terraform CI/CD Pipeline AWS: A Starter Guide

A starter guide to integrating Terraform with CI/CD pipelines on AWS, covering benefits, prerequisites, pipeline stages, AWS services, Terraform Cloud setup, best practices, and more.

Zan Faruqui
May 16, 2023

If you're diving into managing AWS cloud infrastructure, integrating Terraform with CI/CD pipelines will revolutionize how you deploy and manage resources. Here's a quick guide to get you started:

  • Terraform: A tool for building, changing, and versioning infrastructure safely and efficiently.
  • CI/CD Pipelines: Automate the steps of code integration, testing, and deployment, ensuring a smooth and speedy delivery of infrastructure changes.
  • Integration Benefits: Combines the infrastructure management capabilities of Terraform with AWS's automation tools, enhancing efficiency, reliability, and security.
  • Prerequisites: An AWS account, Terraform installation, and a basic understanding of AWS services.
  • Key AWS Services: Utilizes AWS CodeCommit, AWS CodePipeline, AWS CodeBuild, and AWS S3 for storing and managing infrastructure code.
  • Pipeline Stages: Includes stages like source, validate, plan, approval, and apply, ensuring thorough checks before any deployment.
  • Terraform Cloud: Offers collaboration tools and secure state management, integrating seamlessly with AWS.

This guide simplifies the setup process, from creating IAM roles to configuring AWS services and Terraform Cloud, ensuring you have a robust pipeline ready for deployment. Whether you're a beginner or looking to refine your CI/CD process with Terraform on AWS, this starter guide has you covered.

Understanding CI/CD Pipelines

CI/CD pipelines are about making the process of getting your code and infrastructure updates out there smoother and faster:

  • Continuous integration (CI) - Developers put their code together in one place often, and then it's automatically built and tested.
  • Continuous delivery (CD) - If the tests go well, the updates can be sent straight to where they need to go without extra steps.

Benefits of Integrating Terraform with CI/CD on AWS


When you use Terraform with AWS's tools for CI/CD, it brings a bunch of good things:

  • Increased efficiency - You can set up and update your cloud services without much manual work.
  • Improved consistency - Using files to manage your cloud setup means everything can be done the same way every time.
  • Lower costs - Less manual work means fewer mistakes and less time fixing them.
  • Security and compliance - You can make sure your setup follows the rules and stays safe more easily.


AWS Account

First, you'll need an AWS account to work with Terraform on AWS. If you don't have one yet, you can sign up for a free account on the AWS website. This free tier lets you try out some AWS services for 12 months without paying.

After setting up your account, you must create AWS access keys. These keys let Terraform talk to your AWS account and manage things. AWS has a guide on how to do this — just remember to keep these keys safe.

Terraform Installation

You can download the newest version of Terraform from its website. They offer versions for Windows, macOS, and Linux.

Just follow the instructions for your computer. If you're using Linux, you might be able to get Terraform through your package manager.

To check if Terraform is ready to go, type this in your terminal:

terraform -v

If it works, you'll see the version number of Terraform.

Understanding of AWS

It's good to know a bit about AWS before you start using Terraform with it. Here are some AWS basics:

  • EC2 - Think of these as virtual computers.
  • VPC - A way to keep your AWS stuff private.
  • IAM - This helps you control who can do what.
  • S3 - A place to keep your files.

AWS has lots of resources to learn more about these services. Knowing them will make it easier to use Terraform to manage your AWS resources.

Architecture Overview

Pipeline Stages

A CI/CD pipeline for Terraform on AWS goes through a few important steps:

  • Source - Grabs the Terraform files from a place like AWS CodeCommit. This is where everything starts.
  • Validate - Checks the Terraform code to make sure it's written correctly and follows safety and rules.
  • Plan - Shows what changes Terraform will make to your AWS resources based on your files.
  • Approval - Lets someone look over the planned changes before they happen, to make sure everything is good to go.
  • Apply - Sets up the AWS resources using your Terraform files.
  • Destroy - Removes any resources that were set up during the apply step. This helps keep things clean.

AWS Services Used

The pipeline uses these main AWS services:

  • AWS CodeCommit - Keeps the Terraform files in a Git repository.
  • AWS CodePipeline - Helps automate and manage the flow from one stage to the next.
  • AWS CodeBuild - Runs Terraform commands like plan and apply in a separate environment.
  • AWS S3 - Holds onto files that need to be moved between stages, like the Terraform plan results.

Terraform in the Pipeline

Terraform is used here to manage AWS resources with code. Here's how it fits into the workflow:

  • You put a Terraform file into CodeCommit.
  • CodeBuild automatically checks and tests your file.
  • You can look at what changes will happen in the plan file.
  • If everything looks good, CodeBuild will set up your AWS resources with terraform apply.

This setup makes sure that teams can update their cloud setup in a way that's consistent and follows rules.

Setting Up AWS Services

Create IAM Roles

First, we need to make some special roles that let our pipeline do its job. Here's what we need:

  • CodePipeline service role - This role lets CodePipeline use other AWS services for you. You should add the AWSCodePipelineServiceRole policy to it.
  • CodeBuild service role - This role allows CodeBuild to use the resources it needs, like S3 buckets. Attach the AWSCodeBuildDeveloperAccess policy here.
  • CodeCommit access role - This role is for pulling Git repositories from CodeCommit. It needs the AWSCodeCommitReadOnly policy.

You can create these roles through the IAM section in AWS, either using the console or the CLI. Remember to keep track of their ARNs for later.

Set Up CodeCommit Repository

We need a spot to keep our Terraform files, and CodeCommit is perfect for this:

  • Make a new CodeCommit repository using the AWS console or CLI.
  • Allow your IAM users or roles to access it by setting up a policy like this:
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo"
  • With this setup, users can now start adding Terraform files to the repository.

Configure CodeBuild Project

Next, we use CodeBuild to run Terraform commands. Here's how to get it ready:

  • Make a Docker image with Terraform and any needed tools, and put it in ECR.
  • Set up a CodeBuild project with details like where it gets its code (CodeCommit) and which Docker image to use (from ECR).
  • Put in environment variables, such as AWS credentials, so CodeBuild knows how to access AWS.

This setup lets CodeBuild automatically run commands like terraform plan and terraform apply.

Set Up CodePipeline

Last, we'll put together our CI/CD pipeline in CodePipeline:

  • Make a new pipeline and choose our CodeCommit repo as the source.
  • Add stages in CodeBuild for checking Terraform files, planning, and applying changes.
  • Put in approvals for important steps, like before applying changes.
  • Set up where files go in between stages, like where to keep the plan files.

With this, our pipeline will start running automatically whenever there are changes in the Git repo, managing everything from checking to deploying.

Configuring Terraform Cloud

Terraform Cloud is a tool that helps teams work together on setting up their cloud infrastructure. It connects to your AWS account and offers features like keeping your setup files safe, managing who can change what, and making sure rules are followed. Here's how to get it ready and hook it up with AWS.

Create Terraform Cloud Account

Starting with Terraform Cloud is easy. Go to and sign up. You'll get a free account that comes with features for storing your setup files online, tools for teamwork, and a private place for your setup modules.

After signing up, you can make organizations and workspaces. Workspaces are like separate projects for different environments, such as testing or live. You can set who has permission to make changes.

Connect AWS Credentials

To let Terraform Cloud work with your AWS account, you need to add your AWS access keys. Go to your organization settings, find Credentials, then AWS, and put in your access key and secret key.

It's important to use keys that don't have too much access. You can attach an IAM policy to the user that only lets it read from services like EC2, S3, VPC, etc.

Define Workspace

Now, create a workspace in Terraform Cloud. This is where your AWS setup files will live. When setting it up, connect it to your AWS credentials and pick 'Version Control Workflow'.

Make sure to turn on remote state storage in the settings. This means Terraform will keep the setup state in the cloud instead of on your computer. You can also turn on checks for security, costs, and more.

Next, link your workspace to your AWS CodeCommit repo. When you update your Terraform files there, it will automatically start Terraform to apply the changes. You can watch the progress, see logs, and work with your team on updates.

Building the CI/CD Pipeline

Configure Source Stage

The first thing we need to do is set up a way for our pipeline to grab the Terraform files from our CodeCommit repository. Here's how:

  • Choose the CodeCommit repository as the starting point when you're making a new pipeline.
  • Make sure the IAM roles and policies let CodePipeline get to the repository.
  • Pick the branch in CodeCommit that, when updated, will kick off the pipeline.
  • Tell CodePipeline to use CodeCommit for the source code.

With these steps, any new commits to the chosen branch in CodeCommit will automatically start the pipeline.

Add Build Stage

Now, we need a part in our pipeline that will run Terraform commands to make or change our cloud setup.

Here's what to do:

  • Make a CodeBuild project that uses a Docker image with Terraform on it.
  • Add in any needed info like AWS credentials as environment variables.
  • Set up the commands to run terraform init, terraform plan, and terraform apply.
  • Add this CodeBuild project to your pipeline right after the source stage.

This way, when the pipeline runs, it will use your Terraform files from CodeCommit to manage your cloud stuff.

Include Approval Gate

It's smart to have a step where someone checks and OKs the plan before it makes any changes, especially for live environments.

To add this check:

  1. Use CodePipeline to add a manual approval step between the planning and applying phases.
  2. Set up notifications to let the right people know when there's something to approve.

This step lets you see what changes Terraform plans to make and approve them before anything happens.

Configure Integration with Terraform Cloud

For better teamwork and to keep track of our Terraform setup, we can connect our pipeline to Terraform Cloud:

  • Make a workspace in Terraform Cloud and link it to your CodeCommit repo.
  • Change your Terraform files to use Terraform Cloud for storing the setup info.
  • Make sure CodePipeline can access and work with the Terraform Cloud workspace.

This setup means our Terraform info is safely stored outside the pipeline, but CodePipeline can still do its job. Plus, it makes working together on cloud setups easier.


Running and Monitoring

Initiate Pipeline

To start your Terraform CI/CD pipeline, you have a few options:

  • Manual start - You can manually start the pipeline from the CodePipeline console by selecting the "Release change" option. This begins the process of picking up the latest code, planning changes, getting approvals, and making updates.
  • Code commit - Any new code pushed to your CodeCommit Git repository will automatically trigger the pipeline if it's set to watch a specific branch. This makes it easy to move code changes through to updating your infrastructure.
  • Scheduled triggers - If you need to update environments like dev/test regularly, you can set your pipeline to start automatically on a set schedule, such as daily or weekly. This setting is found in the pipeline options.

Check Pipeline Status

While your pipeline is running, you can see how it's doing in the CodePipeline console:

  • There's a visual layout of the pipeline stages, showing where things are at the moment. This gives you a quick overview of progress.

  • Click on any stage to see more details like how long it took, any messages, and what was produced. This is useful for understanding what's happening at each step.

  • The top of the page shows a summary of the whole pipeline, including how long each part took and the current status.

  • You'll also get alerts for important events, like when something needs your approval or if there's a problem that needs fixing.

Review Logs For Issues

If something goes wrong, here's how to check the logs for clues:

  • Go to the part of CodePipeline that didn't work and look at the logs there. You'll find detailed information.

  • Look for specific words related to the problem, like "permission" or "timeout." This can help you figure out what went wrong.

  • You can also try running Terraform commands like plan and apply directly in CodeBuild to see if the logs there give you more info.

  • If you're stuck, ask for help from people who know about security, networking, or Terraform. They might see something you missed.

  • Once you know what's wrong, you might need to change permissions, fix network settings, or update your Terraform code to solve the problem and avoid it in the future.

Best Practices

When it comes to keeping your Terraform setup safe and running smoothly, there are a few key things to do:

Managing Terraform State

  • It's smarter to keep your Terraform info in Terraform Cloud than on your own computer. This way, it's safe, you can control who sees it, and you won't lose it if something goes wrong.
  • Make sure only one Terraform job can run at a time to avoid mix-ups.
  • Regularly save a copy of your Terraform info to Amazon S3. This helps if you need to go back to an earlier version or if something bad happens.
  • Be careful about who can see or change your Terraform info. Use AWS Identity and Access Management (IAM) to give people only the access they really need.

IAM Permissions Management

  • Only give people or services the access they need to do their jobs, nothing more.
  • Group people or services together in IAM to manage their permissions easier.
  • Keep an eye on what permissions you've given out. If someone doesn't need access anymore, take it back.
  • Use multi-factor authentication (MFA) for extra security, especially for those with more access.

Pros and Cons Comparison

Approach Pros Cons
Store state locally You're in control, can use it offline Risky if something goes wrong, no automatic backup
Store state remotely in S3 Safe, keeps versions, can back up A bit more work, need to set up state locking
Store state in Terraform Cloud Comes with security features, controls who can see it Relying on another service, what if it goes down?

Following these tips can help you keep things secure, meet rules, and make sure your Terraform setup works well. Being careful with your setup and who can access it lays a strong foundation.


Key Takeaways

Using Terraform to manage your AWS setup with CI/CD pipelines makes a big difference:

  • Increased efficiency - By using code to set up and change your cloud resources, you cut down on manual work. This means your team can get things done quicker.
  • Improved reliability - The pipeline checks your code and needs a thumbs-up before making changes. This helps catch mistakes and keeps everything running smoothly.
  • Enhanced security - Having one place to manage who can do what makes it easier to keep things safe. Plus, automatic checks help prevent setup errors.
  • Greater scalability - When your cloud setup is written in code, it's easy to grow or copy it to other areas as needed.
  • Streamlined compliance - Doing things the same way every time helps make sure you're following security rules and best practices.
  • Cost optimization - Using automation saves time and money by cutting out unnecessary steps. It also helps find and remove resources you don't need anymore.
  • Insight and control - Seeing what's happening in your pipeline and having the chance to review changes keeps everyone in the loop.
  • Collaboration - Everyone working together with the latest information on your cloud setup helps things run smoothly.

To get these benefits, plan your pipeline and permissions well, keep an eye on your Terraform setup, use tools like Terraform Cloud when they can help, and focus on keeping things secure and simple. Start with the basics, learn as you go, and you'll find ways to work better and more reliably.

Official Terraform documentation

The official Terraform documentation is like a huge guidebook made by HashiCorp, the people behind Terraform. It covers everything you need to know about using Terraform, from start to finish. Here’s a quick overview of what you can find there:

  • Installation - Instructions on how to get Terraform set up on your computer, whether you're using Windows, Linux, or macOS.

  • Getting Started - A beginner-friendly introduction to the basics of Terraform, like what providers and resources are, how to manage your setup's state, and the ins and outs of workspaces.

  • Configuration - A deep dive into how to write Terraform code using its special language, HCL. This includes how to use variables, make your code do what you want, and organize your code with modules.

  • Commands - A handy reference for the different commands you can use in the Terraform command line, like init to get started, plan to see what changes you're about to make, apply to make those changes, and destroy to take everything down.

  • Providers - Detailed info on all the different services and tools Terraform works with, like AWS, Azure, Google Cloud, and Kubernetes.

  • Best Practices - Tips and advice for using Terraform in the real world, especially when you're working on important projects. This covers how to keep your setup secure, work well with your team, test your code, and more.

Plus, there’s a bunch of other helpful stuff like a guide to the Terraform API, a glossary of terms, and a way to search through all the documentation.

The Terraform documentation is super detailed and always kept up-to-date. It's the go-to place for finding out how to do anything with Terraform. Whether you're just starting out or you've been using Terraform for a while, it's worth checking out to make sure you're doing things the right way and to get answers to any questions you might have.

AWS blog

The AWS blog is packed with helpful tips and step-by-step guides on using AWS services, like how to set up and manage your code and infrastructure automatically. Here are some key takeaways:

  • There are lots of tutorials on creating CI/CD pipelines with AWS CodePipeline. These guides show you how to connect CodePipeline with other AWS services like CodeCommit and CodeBuild, explaining the process in easy steps.
  • One specific guide, "Implementing Git workflows using AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline," walks you through how to use these services together to manage your code.
  • If you're interested in setting up your AWS resources automatically, the blog series on "Infrastructure as Code" offers practical examples and tips. It talks about using both HashiCorp Terraform and AWS CloudFormation.
  • There's a detailed guide on "Deploying AWS infrastructure automatically using AWS CloudFormation and AWS CodePipeline" that teaches you how to continuously deliver CloudFormation stacks.
  • The blog also suggests important security practices like setting up pipeline approvals, adding security checks, and using the principle of least privilege to control access.
  • You'll find real-life stories and advice from people who've worked with CodePipeline and automated infrastructure. These are great for learning from others' experiences.

Overall, the AWS blog is a great place to find information on making the most of CodePipeline and setting up your infrastructure using code. It's full of advice from AWS experts that can help you understand and use these tools better.

Related posts