Using hashicorp/jsii-terraform to use cdktf in gitlab

I’m attempting to use this image in a gitlab step so that I can deploy infrastructure.

Because the images are not for apple silicon - I cannot run them locally.

Here is what I have so far…


  • cd infrastructure

  • echo “Deploy review $env_name”

  • |
    terraform init
    … multiline init for terraform state held in gitlab…

  • pipenv install cdktf-cdktf-provider-azurerm

  • pipenv run ./

  • cdktf diff

The output is not clear to me yet.

$ terraform init \ # collapsed multi-line command There are some problems with the CLI configuration: │ Error: The specified plugin cache dir /root/.terraform.d/plugin-cache cannot be opened: stat /root/.terraform.d/plugin-cache: no such file or directory As a result of the above problems, Terraform may not behave as intended. Terraform initialized in an empty directory! The directory has no Terraform configuration files. You may begin working with Terraform immediately by creating Terraform configuration files. $ pipenv install cdktf-cdktf-provider-azurerm Warning: --system is intended to be used for Pipfile installation, not installation of specific packages. Aborting. Usage: pipenv install [OPTIONS] [PACKAGES]... ERROR:: See also: {} --deploy flag

… if I remove the pipenv install of the azurerm provider… when I run the - it complains the provider is not installed.

I’m just a little confused as to how to use cdktf in a cicd pipeline.

Hi @lucidguppy :wave:

In which directory do you run terraform init?

This does not seem to be directly related to CDKTF but rather to the Terraform CLI.
You could try to create the plugin-cache directory when you create your Docker container and see whether it solves things?

– Ansgar


This is no longer a problem - I created my own builder image and after some wranging I got it to run correctly.

It would be nice if there was some documentation on getting CDKTF to run in a CI/CD pipeline ( I might not be doing it in the most efficient manner ).

Here’s my builder image Dockerfile

FROM node:21-bookworm
LABEL authors="me"
RUN apt update
RUN apt install -y python3 pipenv python3-pip python3.11-venv gpg lsb-release ca-certificates wget
RUN apt clean
RUN wget -O- | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
RUN echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
RUN apt update && apt install -y terraform
RUN apt clean
RUN npm install --global cdktf-cli@latest
RUN curl -sL | bash
USER node

Here’s the cdktf json

  "language": "python",
  "app": "python",
  "projectId": "<<<MASKED>>>",
  "sendCrashReports": "false",
  "terraformProviders": ["random@~> 3.6.0","azurerm@~>3.85.0"],
  "terraformModules": [],
  "codeMakerOutput": "imports",
  "context": {

Here’s the pipeline section

deploy review:
  stage: deploy review
    - saas-linux-small-amd64
  image: lucidguppy/cdktf:0.1.6
    - merge_requests
    env_name: review/$CI_COMMIT_REF_SLUG
    LANG: "en_US.UTF-8"
    name: review/$CI_COMMIT_REF_NAME
    on_stop: stop review

    - cd infrastructure
    - pipenv sync
    - pipenv install cdktf
    - pipenv run cdktf get
    - az login --service-principal -u $AZURE_APP_ID -p $AZURE_PRINCIPAL_PW --tenant $AZURE_TENANT_ID
    - pipenv run cdktf deploy --auto-approve '*'

Though I feel like the pipenv sync doesn’t really do anything - because I thought it would have installed the dependencies in the pipenv lock file - but the cdktf command states that they weren’t installed.

Also all of this takes a long time to run - wish it went faster…