Terraform AWS CodePipeline Lab Documentation

Introduction
This laboratory guide demonstrates how to implement a CI/CD pipeline for Terraform
infrastructure using AWS CodePipeline. The pipeline automates the process of planning,
approving, and applying Terraform configurations to create and manage AWS resources in a
controlled, repeatable manner.

Prerequisites
Before beginning this lab, ensure you have:
• An active AWS account with administrator permissions
• AWS CLI installed and configured (for manual setup)
• Terraform installed locally (version 1.x recommended)
• Basic understanding of Terraform, AWS CodePipeline, and CloudFormation

Architecture Overview
The pipeline architecture consists of the following components:
1. Source Stage: S3 bucket containing Terraform code
2. Plan Stage: CodeBuild project that executes terraform plan
3. Approval Stage: Manual approval with SNS notification
4. Apply Stage: CodeBuild project that executes terraform apply
5. Destroy Stage (Optional): CodeBuild project that executes terraform destroy
Workflow Diagram

Setup Options
This lab can be completed using either:
1. Manual Setup: Step-by-step console-based configuration
2. Automated Setup: Using CloudFormation template
Option 1: Manual Setup
Follow these steps to manually set up the pipeline through the AWS Management Console.

1. Create S3 Buckets
Source Code Bucket
1. Navigate to the S3 service in the AWS Management Console
2. Click "Create bucket"
3. Enter a globally unique name (e.g., terraform-source-code-{account-id})
4. Configure versioning (Enabled)
5. Leave other settings as default
6. Click "Create bucket"

Artifacts Bucket
1. Create another S3 bucket with a unique name (e.g., terraform-pipeline-artifacts-
{account-id})
2. Enable versioning
3. Click "Create bucket"

2. Create IAM Roles

CodePipeline Service Role
1. Navigate to the IAM console
2. Select "Roles" > "Create role"
3. Choose "AWS service" as trusted entity and "CodePipeline" as the service
4. Attach the following policies:
o AmazonS3FullAccess
o AWSCodeBuildAdminAccess
 o AmazonSNSFullAccess
5. Name the role CodePipelineServiceRole
6. Create the role

7.

CodeBuild Service Role

1. Navigate to the IAM console
2. Select "Roles" > "Create role"
3. Choose "AWS service" as trusted entity and "CodeBuild" as the service
4. Attach the following policies:
o AmazonS3ReadOnlyAccess
o CloudWatchLogsFullAccess
5. Create the role
6. Edit the role to add an inline policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
 "Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:PassRole",
"cloudformation:*"
],
"Resource": "*"
}
]
}

3. Create SNS Topic for Approvals

1. Navigate to the SNS service
2. Click "Create topic"
3. Select "Standard" type
4. Name the topic TerraformApprovalTopic
5. Click "Create topic"
6. Create a subscription:
o Protocol: Email
o Endpoint: Your email address
7. Confirm the subscription by clicking the link in the confirmation email
4. Create CodeBuild Projects
Terraform Plan Project
1. Navigate to CodeBuild
2. Click "Create build project"
3. Project name: TerraformPlanBuildProject
4. Source provider: Select "CodePipeline"
5. Environment:
o Image: Amazon Linux 2
o Runtime: Standard
o Image version: Latest
6. Service role: Use the CodeBuild role created earlier
7. Buildspec: Use the following inline buildspec:
version: 0.2
phases:
install:
runtime-versions:
python: 3.9
commands:
- yum install -y yum-utils unzip
- yum-config-manager --add-repo
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
- yum -y install terraform-1.6.4
- terraform --version
build:
commands:
- aws s3 cp s3://${SOURCE_S3_BUCKET}/${SOURCE_S3_KEY} ./
- unzip -o ./${SOURCE_S3_KEY}
- ls -la
- terraform init
- echo "## TERRAFORM PLAN : Generate the Terraform Plan"
- terraform plan -out tfapply
- terraform show -json tfapply > myplan.json
artifacts:
files:
- '**/*'
- tfapply
- myplan.json
- .terraform/**/*
 8. Click "Create build project"

Terraform Apply Project

1. Click "Create build project"
2. Project name: TerraformApplyBuildProject
3. Source provider: Select "CodePipeline"
4. Environment: Same as plan project
5. Service role: Use the CodeBuild role created earlier
6. Buildspec: Use the following inline buildspec:
version: 0.2
phases:
install:
runtime-versions:
python: 3.9
commands:
- yum install -y yum-utils
- yum-config-manager --add-repo
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
- yum -y install terraform-1.6.4
- terraform --version
build:
commands:
- ls -la
- echo "## TERRAFORM APPLY : Applying infrastructure changes"
- terraform apply --auto-approve tfapply
artifacts:
files:
- '**/*'

7. Click "Create build project"

Terraform Destroy Project (Optional)
1. Click "Create build project"
2. Project name: TerraformDestroyBuildProject
3. Source provider: Select "CodePipeline"
 4. Environment: Same as plan project
5. Service role: Use the CodeBuild role created earlier
6. Buildspec: Use the following inline buildspec:
version: 0.2
phases:
install:
runtime-versions:
python: 3.9
commands:
- yum install -y yum-utils unzip
- yum-config-manager --add-repo
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
- yum -y install terraform-1.6.4
- terraform --version
build:
commands:
- aws s3 cp s3://${SOURCE_S3_BUCKET}/${SOURCE_S3_KEY} ./
- unzip -o ./${SOURCE_S3_KEY}
- ls -la
- terraform init
- echo "## TERRAFORM PLAN : Checking for infrastructure changes (for
destroy)"
- terraform plan -destroy
post_build:
commands:
- echo "## TERRAFORM DESTROY : Destroying infrastructure"
- terraform destroy --auto-approve
artifacts:
files:
- '**/*'

7. Click "Create build project"

5. Create CodePipeline
1. Navigate to CodePipeline
2. Click "Create pipeline"
3. Pipeline name: TerraformInfrastructurePipeline
4. Service role: Use the CodePipeline role created earlier
5. Artifact store: Use the artifacts S3 bucket created earlier
6. Click "Next"
Source Stage
7. Source provider: Amazon S3
8. Bucket: Select your source code bucket
9. S3 object key: Specify the path to your Terraform code (e.g., main.zip)
10. Click "Next"
Build Stage
11. Build provider: AWS CodeBuild
12. Project name: Select TerraformPlanBuildProject
13. Build type: Single build
14. Click "Next"
Approval Stage
15. Click "Add stage"
16. Stage name: Approval
17. Click "Add action group"
18. Action name: ManualApproval
19. Action provider: Manual approval
20. SNS topic: Select your approval topic
21. URL for review: Leave blank
22. Comments: "Please review and approve to apply Terraform changes"
23. Click "Done"
Apply Stage
24. Click "Add stage"
25. Stage name: Apply
26. Click "Add action group"
27. Action name: TerraformApply
28. Action provider: AWS CodeBuild
29. Project name: Select TerraformApplyBuildProject
30. Input artifacts: Select BuildArtifact from the previous build stage
31. Click "Done"
 32. Click "Create pipeline"

6. Upload Terraform Code

1. Create a directory for your Terraform files
2. Create the necessary Terraform configuration files:
o main.tf
o variables.tf
o terraform.tfvars (if needed)
3. Zip the files:

zip -r main.zip *.tf *.tfvars

4. Upload the zip file to your source S3 bucket:

aws s3 cp main.zip s3://your-source-bucket/main.zip

Option 2: Automated Setup Using CloudFormation
For a more streamlined setup, use the provided CloudFormation template to create all required
resources automatically.

1. Create Source S3 Bucket

First, create an S3 bucket to store your Terraform code:
1. Navigate to the S3 service in AWS Console
2. Create a bucket with a unique name (e.g., terraform-source-{account-id})
3. Enable versioning
4. Note the bucket name for later use
2. Prepare and Upload Terraform Code
1. Create a directory for your Terraform files
2. Create and populate the necessary Terraform configuration files
3. Zip the files:

zip -r main.zip *.tf *.tfvars

4. Upload the zip file to your source S3 bucket:

aws s3 cp main.zip s3://your-source-bucket/main.zip

3. Deploy CloudFormation Template

1. Navigate to CloudFormation in the AWS Console
2. Click "Create stack" > "With new resources"
3. Select "Upload a template file"
4. Upload the following CloudFormation template or enter its URL
5. Click "Next"
CloudFormation Parameters
Complete the following parameters:
 • EmailAddress: Your email for approval notifications
• SourceS3BucketName: Your source code bucket name
• SourceS3ObjectKey: Object key for your Terraform code (default: main.zip)
• TerraformVersion: Version of Terraform to use (default: 1.6.4)
6. Click "Next", then "Next" again
7. Acknowledge IAM capabilities
8. Click "Create stack"
The CloudFormation stack will create:
• S3 bucket for pipeline artifacts
• IAM roles for CodePipeline and CodeBuild
• SNS topic for manual approvals
• CodeBuild projects for plan, apply, and destroy operations
• CodePipeline with all stages configured
4. Confirm SNS Subscription
1. Check your email for the subscription confirmation
2. Click the confirmation link to receive approval notifications

Using the Pipeline

Triggering the Pipeline
The pipeline will automatically start when:
• CloudFormation stack creation completes (Automated setup)
• Pipeline creation completes (Manual setup)
• New code is uploaded to the source S3 bucket
Manual Approval Process
1. When the pipeline reaches the Approval stage, you'll receive an email notification
2. Open the link in the email or navigate to the CodePipeline console
3. Review the Terraform plan output in the previous stage logs
4. Click "Review" then "Approve" or "Reject" based on your assessment
Monitoring Deployments
1. Navigate to the CodePipeline console
2. Select your pipeline to view its status
3. Click on specific stages to view detailed logs
4. For build stages, you can view detailed logs in CloudWatch Logs
Infrastructure Destruction (Optional)
To tear down the deployed infrastructure:
 1. Navigate to the CodeBuild console
2. Select the TerraformDestroyBuildProject
3. Click "Start build"
4. Review the logs to confirm successful destruction

Best Practices
• State Management: Configure Terraform to use S3 backend for state storage
• Variable Management: Use environment variables in CodeBuild for sensitive values
• Pipeline as Code: Store the pipeline configuration in version control
• Testing: Test Terraform configurations locally before pushing to the pipeline
• Security: Follow least privilege principle when configuring IAM roles
• Documentation: Maintain documentation for the infrastructure being deployed

Troubleshooting
Common Issues and Solutions
Issue
CodeBuild failure
Terraform state conflicts
S3 access denied
Manual approval timeout
Terraform initialization fails
Possible Solution
Check CloudWatch Logs for error details
Configure remote state locking with DynamoDB
Verify IAM permissions for CodeBuild role
Approvals expire after 7 days by default
Ensure proper backend configuration

Cleanup
To avoid ongoing charges, remove all resources when finished:

Automated Cleanup
1. Run the Terraform destroy project
2. Delete the CloudFormation stack
Manual Cleanup
1. Run the Terraform destroy project
2. Delete the CodePipeline
3. Delete the CodeBuild projects
4. Delete the SNS topic and subscription
5. Empty and delete all S3 buckets
6. Delete the IAM roles
Conclusion
You have successfully set up a CI/CD pipeline for Terraform infrastructure deployment using
AWS CodePipeline. This pipeline helps standardize your infrastructure deployments, enforce
proper review processes, and maintain consistent, version-controlled infrastructure.