A DevOps engineer configures Terraform authentication credentials for Alibaba Cloud, provisions a full infrastructure stack (VPC, ECS cluster, storage), then automates the entire Terraform workflow through a CI/CD pipeline so infrastructure changes are deployed on code commit.
Use this workflow when you need to version-control and automatically deploy a complete Alibaba Cloud environment (VPC, ECS instances, and storage) on every code commit. It eliminates manual console operations by chaining secure credential management, declarative infrastructure provisioning, and GitLab CI/CD execution into a single, auditable pipeline.
AliyunVPCFullAccess and AliyunECSFullAccess, then inject temporary credentials into your runner via ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, and ALICLOUD_SECURITY_TOKEN.backend.tf to store state in Alibaba Cloud OSS, preventing local drift and enabling team collaboration:``hcl terraform { backend "oss" { bucket = "tf-state-prod"; key = "infra/terraform.tfstate"; region = "cn-hangzhou"; lock = true } } ``
main.tf, declare VPC, security groups, and ECS instances:``hcl resource "alicloud_vpc" "main" { vpc_name = "prod-vpc"; cidr_block = "172.16.0.0/16" } resource "alicloud_instance" "web" { instance_type = "ecs.t6-c1m2.large"; security_groups = [alicloud_security_group.ecs_sg.id]; vswitch_id = alicloud_vswitch.main.id } ``
alicloud_network_interface and alicloud_eip_association to ensure public reachability..gitlab-ci.yml to trigger Terraform on merge:``yaml stages: [plan, apply] plan: { script: ["terraform init", "terraform plan -out=tfplan"], only: [merge_requests] } apply: { script: ["terraform apply -auto-approve tfplan"], only: [main] } ``
main. The pipeline authenticates via RAM, executes terraform plan, and provisions the full stack via terraform apply.The Git repository serves as the infrastructure source of truth. On commit, the CI/CD runner pulls code, authenticates with Alibaba Cloud using temporary RAM credentials, and executes Terraform. Terraform calls Alibaba Cloud OpenAPI endpoints (ecs.aliyuncs.com, vpc.aliyuncs.com) to provision resources, while state is persisted and locked in an OSS bucket. ECS instances automatically inherit VPC routing and security group rules defined in the .tf configuration.
alicloud provider pluginaccess_key in .tf files instead of CI/CD variables risks leaks and violates compliance.oss backend locking causes terraform apply failures; always enable lock = true.alicloud_security_group_rule for ports 22/80 blocks post-deployment SSH/HTTP access.required_providers leads to breaking API changes; pin version = "~> 1.200.0" for alicloud.Q: How do I automate Terraform infrastructure deployment on Alibaba Cloud using a CI/CD pipeline? A: Automating Terraform infrastructure deployment on Alibaba Cloud involves configuring authentication credentials, provisioning resources like VPCs and ECS clusters, and routing the workflow through a CI/CD pipeline that triggers on code commits. This setup utilizes integrated Terraform skills for authentication management, infrastructure provisioning, and continuous delivery automation alongside ECS configuration tools.