Terraform Configuration

Configure Terraform settings for accurate drift detection in Controlinfra.

Overview

Controlinfra needs to understand your Terraform setup to:

• Initialize providers and modules
• Access remote state
• Apply the correct variables
• Use the right Terraform version

Basic Configuration

Working Directory

Specify where your Terraform files are located:

Working Directory: /infrastructure

Common patterns:

Pattern	Description
/	Root directory
/terraform	Terraform subfolder
/infrastructure/production	Environment-specific
/environments/prod	Alternative structure

Terraform Version

Select the Terraform version that matches your configuration:

Terraform Version: 1.5.7

Version Compatibility

Using a mismatched version can cause:

• Provider compatibility issues
• Syntax errors with newer features
• State file format problems

Backend Configuration

S3 Backend

The most common backend for AWS infrastructure:

# In your Terraform configuration
terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "production/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

Configure in Controlinfra:

Field	Value
Backend Type	S3
Bucket	my-terraform-state
Key	production/terraform.tfstate
Region	us-east-1
DynamoDB Table	terraform-locks

Terraform Cloud Backend

terraform {
  cloud {
    organization = "my-organization"
    workspaces {
      name = "my-workspace"
    }
  }
}

Configure in Controlinfra:

Field	Value
Backend Type	Terraform Cloud
Organization	my-organization
Workspace	my-workspace
Token	Your TFC API token

Local Backend

For repositories using local state (not recommended for production):

Field	Value
Backend Type	Local
State Path	terraform.tfstate

WARNING

Local backend requires the state file to be in the repository, which is a security risk. Consider migrating to remote state.

Variables Configuration

Variable Files

Specify .tfvars files to use during scanning:

Var File: production.tfvars

Or multiple files:

Var Files:
  - common.tfvars
  - production.tfvars
  - secrets.tfvars

Inline Variables

For variables not in files, add them directly:

Variables:
  environment = "production"
  region = "us-east-1"
  enable_monitoring = true

Sensitive Variables

For sensitive values, Controlinfra provides secure input:

Sensitive Variables:
  db_password = ********
  api_key = ********

These are:

• Encrypted at rest
• Never displayed in UI
• Excluded from logs

Provider Configuration

AWS Provider

Controlinfra uses your configured AWS credentials for the AWS provider:

provider "aws" {
  region = var.region
  # Credentials injected by Controlinfra
}

Multiple Providers

For multi-region or multi-account setups:

provider "aws" {
  alias  = "us_east"
  region = "us-east-1"
}

provider "aws" {
  alias  = "eu_west"
  region = "eu-west-1"
}

Configure additional regions in repository settings if needed.

Other Providers

Controlinfra supports any Terraform provider. For providers requiring authentication:

1. Add credentials to your Terraform variables
2. Configure the provider in your Terraform code
3. Controlinfra will use them during scan

Module Configuration

Private Modules

For private Terraform modules from GitHub:

module "vpc" {
  source = "git::https://github.com/my-org/terraform-modules.git//vpc"
}

Controlinfra uses your GitHub authentication to access private modules.

Terraform Registry Modules

Public registry modules work automatically:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.0.0"
}

Private Registry

For Terraform Cloud private registry:

module "vpc" {
  source  = "app.terraform.io/my-org/vpc/aws"
  version = "1.0.0"
}

Ensure your Terraform Cloud token is configured.

Workspace Configuration

Terraform Workspaces

If using Terraform workspaces (terraform workspace):

Terraform Workspace: production

Controlinfra will run:

terraform workspace select production
terraform plan

Multiple Controlinfra Workspaces

For multiple configurations in one repo, add workspaces in Controlinfra:

Repository: my-org/infrastructure
├── Workspace: /production  → AWS Account: prod-account
├── Workspace: /staging     → AWS Account: staging-account
└── Workspace: /development → AWS Account: dev-account

Each workspace can have:

• Different AWS credentials
• Different Terraform variables
• Independent scan schedules

Advanced Configuration

Custom Init Arguments

For special initialization needs:

Init Args: -backend-config=backend.hcl -reconfigure

Custom Plan Arguments

Additional plan arguments:

Plan Args: -target=module.vpc -refresh=false

Environment Variables

Set environment variables for Terraform:

Environment Variables:
  TF_LOG = DEBUG
  TF_CLI_ARGS = -no-color

Configuration Examples

Simple AWS Project

Working Directory: /
Terraform Version: 1.6.0
Backend:
  Type: S3
  Bucket: terraform-state
  Key: app/terraform.tfstate
  Region: us-east-1
Variables:
  environment: production

Multi-Environment Setup

# Production Workspace
Working Directory: /environments/production
Terraform Version: 1.6.0
Backend:
  Type: S3
  Bucket: terraform-state
  Key: production/terraform.tfstate
  Region: us-east-1
Var File: production.tfvars
AWS Credentials: production-aws-key

# Staging Workspace
Working Directory: /environments/staging
Terraform Version: 1.6.0
Backend:
  Type: S3
  Bucket: terraform-state
  Key: staging/terraform.tfstate
  Region: us-east-1
Var File: staging.tfvars
AWS Credentials: staging-aws-key

Terraform Cloud Project

Working Directory: /infrastructure
Terraform Version: 1.6.0
Backend:
  Type: Terraform Cloud
  Organization: my-org
  Workspace: production
  Token: ********
Variables:
  environment: production

Troubleshooting

"Backend initialization required"

Error: Backend initialization required

• Check backend configuration matches your Terraform setup
• Verify credentials have access to state storage
• Try adding -reconfigure to init args

"Module not found"

Error: Module not found

• Verify module source path is correct
• Check GitHub access for private modules
• Ensure module version exists

"Variable not set"

Error: No value for required variable

• Add the variable to Var File or Variables
• Check variable name matches Terraform exactly

"Provider configuration not present"

Error: Provider configuration not present

• Ensure provider is defined in your Terraform code
• Check required provider credentials are configured

Next Steps

• Configure AWS Credentials - Detailed AWS setup
• Set Up AI Provider - Enable drift analysis
• Run Your First Scan - Start detecting drift