Terraform: Backend remote support environment variable for token

I've implemented a simple credentials helper plugin terraform-credentials-env that can be used with existing Terraform releases to provide credentials from environment variables. This is a personal project rather than an official HashiCorp project, but I'm sharing it here in the hope that it's useful. (If you try it and have feedback, please leave that feedback in the project's own repository rather than in the Terraform repository, since it's not a part of Terraform.)

It meets the requirement of being explicit about which token belongs to which hostname by using an environment variable naming scheme that includes a transformed version of the hostname. For example, for Terraform Cloud the environment variable would be TF_TOKEN_app_terraform_io to specify the hostname app.terraform.io.

@apparentlymart I just ran into this setting up CI again and was wondering whether there's been any progress on making this more of a production-ready feature. Not having makes Terraform Cloud significantly more cumbersome in normal use with all of the extra setup and configuration everywhere.

In case anyone else encounters it, here's what I ended up needing to be able to a minimal GitLab CI configuration to validate Terraform files using the Docker image. This isn't horrible but it's definitely a bit more work than I would have liked:

stages:
    - validation
    - apply

default:
    image:
        name: hashicorp/terraform:light
        entrypoint:
            - "/usr/bin/env"
    before_script:
        - apk add --quiet --no-cache curl
        # Until https://github.com/hashicorp/terraform/issues/21275 is fixed we
        # need a plugin to authenticate to Terraform Cloud without needing to
        # create temporary files:
        - install -d ~/.terraform.d/plugins
        - cd ~/.terraform.d/plugins && curl -s --fail -LO https://github.com/apparentlymart/terraform-credentials-env/releases/download/v1.0.0/terraform-credentials-env_1.0.0_linux_amd64.zip && unzip terraform-credentials-env_1.0.0_linux_amd64.zip
        - echo 'credentials_helper "env" {}' > ~/.terraformrc
        - cd "${CI_PROJECT_DIR}" # This works around the Terraform Docker file not having a sensible VOLUME setup
        # This value is base64-encoded to work around limitations of GitLab CI's masking:
        - export TF_TOKEN_app_terraform_io=`echo $TERRAFORM_CLOUD_API_TOKEN | base64 -d`
        - terraform version
        - terraform init

validate:
    stage: validation
    tags:
        - docker
    script:
        - terraform validate

@acdha Thanks for the GL pipeline here. I think we're going to vendor it into our project though, credential related seems to important to curl at build time.

@aarcro agreed - I actually have a Terraform-with-env-credentials Docker image but that was more work to share in an example.