Where to run Terraform in a new Cloud tenancy

Question

If Terraform is supposed to deploy whole infrastructure from nothing to everything then where is that Terraform template suppose to run?

Due to security reasons we don't want to run the terraform apply outside of our own infrastructure but we also want to deploy everything via IaC, so does that mean we'll first have to manually create a VM in Azure where we install terraform cli and then run the template to deploy rest of the infrastructure? This doesn't sound right. Hope my question makes sense. Any help will be greatly appreciated.

Answer 1

Terraform unfortunately can't bootstrap itself, as it would need to read the storage accounts where it stores TF State, before starting the plan/apply.

It's not uncommon, to have a bootstrapping script to create the environment for terraform to run under, before running terraform to create the actual environment.

Footnote Once it's created/bootstrapped, there is no reason you couldn't import them in/maintain them via TF - but note, in a situation, for such as DR - you'll be back to the chicken and the egg scenario and would have to bootstrap again.

Answer 2

You can create all you need (such as a storage bucket) with Terraform, by using Terraform commands locally. This will result in a local state file. Locally might as well refer to anywhere in your network, including the Cloud Shell, for example.

You can later migrate the statefile to the storage bucket. You do this by adding a backend configuration to your code. You do know have all resources in the same IaC configuration and also in the same Terraform state.

Later if you wanted to get rid of that bucket (for example) you would have to do this process in reverse. That is the only drawback of this approach. This is due to the fact that this is indeed a chicken-and-egg problem.