How to set Terraform Cloud environment variables from the command line?

Terraform Cloud is a SaaS platform for managing Terraform runs, state and variables. Once you have created a project you can set environment variables via the following page:

https://app.terraform.io/app/[organization]/workspaces/[workspace]/variables

These environment variables are then set when Terraform executes a run. Out of an abundance of a desire to automate this process, I have scripted the process of generating these environments variables:

$SubscriptionId = ""
$PrincipalName = "http://"
$SubscriptionUrl = "/subscriptions/$SubscriptionId"

az cloud set --name "AzureCloud" | Out-Null
az account set --subscription $SubscriptionId | Out-Null

$ServicePrincipal = az ad sp create-for-rbac --role="Owner" --scopes=$SubscriptionUrl --name $PrincipalName | ConvertFrom-Json

$env:ARM_CLIENT_ID=$ServicePrincipal.appId
$env:ARM_CLIENT_SECRET=$ServicePrincipal.password
$env:ARM_SUBSCRIPTION_ID=$SubscriptionId
$env:ARM_TENANT_ID=$ServicePrincipal.tenant

This works, however, I would like to extend the script to be able to push the variables to the appropriate Terraform Workspace. I am aware that there is a RESTful Variables API that I can call although I was hoping for a solution that used the terraform command-line interface rather than relying on parsing backend.tf and calling a REST API from a script.

You can use the Terraform Cloud provider to manage workspace configuration in Terraform Cloud in the same way as you might manage any other infrastructure objects with Terraform. For historical reasons the provider is named tfe, but it can be used to manage both Terraform Enterprise and Terraform Cloud.

In particular, you can use the tfe_variable resource type to manage both Terraform variables and environment variables for a workspace:

variable "environment_variables" {
  type = map(string)
}

variable "workspace_id" {
  type = string
}

provider "tfe" {
  hostname = "app.terraform.io" # Terraform Cloud
}

resource "tfe_variable" "test" {
  for_each = var.environment_variables

  key          = each.key
  value        = each.value
  category     = "env"
  workspace_id = var.workspace_id
}

To integrate this with the script you've already written, you could perhaps use PowerShell's JSON encoder to produce a file azure.tfvars.json with content like this:

{
  "workspace_id": "organization/workspace",
  "environment_variables": {
    "ARM_CLIENT_ID": "...",
    "ARM_CLIENT_SECRET": "...",
    "ARM_SUBSCRIPTION_ID": "...",
    "ARM_TENANT_ID": "..."
  }
}

You can then run the above Terraform configuration using a command like this:

terraform apply -var-file=azure.tfvars.json

When considering automation of this sort it's worth considering where the Terraform state snapshots for this "early" Terraform configuration would live. You could potentially create an additional Terraform Cloud workspace for this special configuration and be sure to configure it to not use remote operations, so that a local run of this one workspace can then arrange for your other workspace to support remote operations.

StackExchange DevOps Q#9888, answer score: 2