Terraform Environment Variables in AWS Instances

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

Managing environment variables is crucial for configuring applications and services running on AWS EC2 instances. This guide explores different methods to effectively set environment variables, providing flexibility and security for your deployments. We'll cover direct instance configuration, leveraging infrastructure-as-code tools like Terraform, and utilizing AWS services like Systems Manager Parameter Store and Secrets Manager.

Step-by-Step Guide

Directly on the instance:
- Connect to your AWS instance via SSH.
- Open the desired shell startup file (e.g., ~/.bashrc, ~/.zshrc).
- Add your environment variable: export MY_VARIABLE="my_value".
- Save the file and reload the shell environment: source ~/.bashrc.
Using Terraform:
- For provider configuration:
  - Set environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY before running Terraform.
- Within Terraform code:
  - Define variables in your Terraform configuration files:
```
variable "instance_name" {
  type = string
  default = "my-instance"
}
```
  - Access variables within resources:
```
resource "aws_instance" "example" {
  tags = {
    Name = var.instance_name
  }
}
```
Other methods:
- AWS Systems Manager Parameter Store: Store variables securely and retrieve them within your applications.
- AWS Secrets Manager: Similar to Parameter Store, but specifically designed for secrets like database credentials.

Remember to choose the method that best suits your needs and security requirements.

Code Example

This code provides examples of setting environment variables for AWS instances using various methods. It demonstrates setting variables directly on an instance via SSH and modifying shell startup files. It also shows how to use Terraform to set variables during instance launch and manage them within Terraform code. Additionally, it includes examples of using AWS Systems Manager Parameter Store and AWS Secrets Manager to store and retrieve environment variables and secrets securely. The code snippets cover Bash, Terraform, and Python, emphasizing the need to adapt the examples to specific use cases and programming languages while prioritizing security best practices.

This guide provides code examples for the methods mentioned in the article to set environment variables for your AWS instances.

1. Directly on the Instance:

# Connect to your instance via SSH
ssh user@your-instance-ip

# Open your shell startup file (e.g., ~/.bashrc)
nano ~/.bashrc

# Add your environment variable
export MY_VARIABLE="my_value"

# Save the file and reload the shell environment
source ~/.bashrc

# Verify the variable is set
echo $MY_VARIABLE

2. Using Terraform:

a) Provider Configuration:

Set environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in your terminal before running Terraform commands.

export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"

b) Within Terraform Code:

# Define variables
variable "instance_name" {
  type = string
  default = "my-instance"
}

variable "my_variable" {
  type = string
  default = "my_value"
}

# Launch an EC2 instance
resource "aws_instance" "example" {
  ami           = "ami-0c55b31ad2299a761" # Replace with your desired AMI
  instance_type = "t2.micro"

  # Access variables within resources
  tags = {
    Name = var.instance_name
  }

  # Use user_data to set environment variable on instance launch
  user_data = <<-EOF
#!/bin/bash
echo "export MY_VARIABLE='${var.my_variable}'" >> /etc/environment
EOF
}

3. Other Methods:

a) AWS Systems Manager Parameter Store:

import boto3

# Create a SSM client
ssm = boto3.client('ssm')

# Set a parameter
response = ssm.put_parameter(
    Name='my-parameter',
    Value='my-value',
    Type='String',
)

# Retrieve a parameter
response = ssm.get_parameter(
    Name='my-parameter',
    WithDecryption=False
)

# Access the parameter value
parameter_value = response['Parameter']['Value']

# Use the parameter value in your application
print(f"My parameter value: {parameter_value}")

b) AWS Secrets Manager:

import boto3

# Create a Secrets Manager client
secrets_client = boto3.client('secretsmanager')

# Create a secret
response = secrets_client.create_secret(
    Name='my-secret',
    SecretString='{"username": "myuser", "password": "mypassword"}'
)

# Retrieve a secret
response = secrets_client.get_secret_value(
    SecretId='my-secret'
)

# Access the secret value
secret_value = json.loads(response['SecretString'])

# Use the secret values in your application
print(f"Username: {secret_value['username']}")
print(f"Password: {secret_value['password']}")

Remember to adapt these examples to your specific needs and programming language. Always prioritize security best practices when handling sensitive information like environment variables and secrets.

Additional Notes

General Considerations:

Security: Avoid hardcoding sensitive values directly in code or scripts. Use secure methods like AWS Secrets Manager or environment variables for sensitive data.
Persistence: Understand how environment variables are handled across instance restarts. Variables set directly in the shell session are lost upon logout. Use startup files or system-level configurations for persistence.
Scope: Be mindful of the scope of environment variables. Variables set at the instance level are accessible to all users and processes, while those set within a specific shell session are only available within that session.

Directly on the Instance:

Startup File Selection: The choice of startup file (~/.bashrc, ~/.zshrc, etc.) depends on the shell you are using. Ensure you are editing the correct file for your environment.
System-wide Variables: To set environment variables system-wide, use /etc/environment or /etc/profile. These files affect all users and sessions.

Using Terraform:

User Data: Terraform's user_data script allows you to execute commands on instance launch, including setting environment variables.
Remote State: Consider using a remote backend for Terraform state files to enable collaboration and prevent accidental loss of configuration.

Other Methods:

AWS Lambda Environment Variables: You can also set environment variables for AWS Lambda functions directly in the Lambda console or using infrastructure-as-code tools.
Configuration Management Tools: Tools like Ansible, Chef, and Puppet can automate the process of setting environment variables across multiple instances.

Best Practices:

Use descriptive variable names: Choose names that clearly indicate the purpose of the variable.
Document your environment variables: Maintain a central repository or documentation that lists all environment variables, their purpose, and how they are set.
Use a consistent naming convention: Adopt a standard format for variable names (e.g., using uppercase or underscores).
Regularly review and update environment variables: Ensure that values are current and that unused variables are removed.

Summary

This article outlines different methods for setting environment variables on AWS, catering to various use cases and security needs:

1. Directly on the Instance (Manual):

Ideal for quick, instance-specific variables.
Edit shell startup files (e.g., ~/.bashrc) and add export VARIABLE="value".
Reload the shell environment for changes to take effect.

2. Using Terraform (Infrastructure as Code):

Suitable for managing variables across multiple instances and environments.
Provider configuration: Set sensitive variables like AWS credentials before running Terraform.
Within Terraform code: Define variables and access them within resource configurations.

3. Other AWS Services:

AWS Systems Manager Parameter Store: Securely store and retrieve variables for applications.
AWS Secrets Manager: Specifically designed for managing sensitive data like database credentials.

The article emphasizes choosing the method that aligns with your specific requirements and prioritizes security best practices.

Conclusion

By understanding and implementing these methods, you can effectively manage environment variables for your AWS EC2 instances, ensuring your applications have the necessary configurations and secrets to operate securely and reliably. Remember to prioritize security, persistence, and scope when working with environment variables, and always follow best practices for documentation and consistency.

References

Docs overview | hashicorp/aws | Terraform | Terraform Registry | ... environment variables being automatically set by Kubernetes or manually for advanced usage. Instance profile credentials and Region. When the AWS Provider is ...
r/aws on Reddit: How do you setup environment variables when ... | Posted by u/Beautiful_Celery511 - 1 vote and 4 comments
How to configure environment variables in Hashicorp Terraform ... | Mar 7, 2019 ... Some providers all you to set provider credentials/configuration via environment variables directly. For example, in the case of the AWS ...
Environment Variables in Terraform : r/Terraform | Posted by u/UsualIndianJoe - 2 votes and 14 comments
Define input variables | Terraform | HashiCorp Developer | ... terraform init in the learn-terraform-aws-instance directory. Set the instance name with a variable. The current configuration includes a number of hard ...
What would be the best approach to set up environment variables ... | Posted by u/Time_Chemist_8566 - 8 votes and 15 comments
Terraform does not read AWS profile from environment variable #233 | This issue was originally opened by @boompig as hashicorp/terraform#8330. It was migrated here as part of the provider split. The original body of the issue is below. Terraform Version Terraform v0...
Terraform AWS Provider: How to Use & Examples | What is Terraform AWS provider? Learn how to authenticate using parameters in the provider configuration options and using environment variables.
Set up terraform (TF) and AWS CLI, build a simple EC2! | by ... | I was gifted a new-to-me laptop, and to keep my TF and AWS skills up-to-date, I am setting up the Terraform and AWS CLIs.