The latest articles on DEV Community by drewmullen (@drewmullen). https://dev.to/drewmullen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F106743%2Fd9fb915c-8d3d-4bf1-8024-f3308ec9f185.jpeg https://dev.to/drewmullen en drewmullen Thu, 22 Jan 2026 22:10:57 +0000 https://dev.to/drewmullen/writing-terraform-resources-with-write-only-parameters-570j https://dev.to/drewmullen/writing-terraform-resources-with-write-only-parameters-570j <p>When building Terraform providers that handle sensitive data like passwords, API tokens, or secret keys, you'll eventually encounter the need for <strong>write-only parameters</strong>. These are values that should be sent to an API but never stored in Terraform state files.</p> <p>In this post, I'll walk through implementing write-only parameters in a Terraform provider, the challenges involved, and design options to consider.</p> <h2> What Are Write-Only Parameters? </h2> <p>Write-only parameters (introduced in Terraform 1.11) are resource arguments that:</p> <ul> <li>Are sent to the API during creation and updates</li> <li><strong>Never appear in the Terraform state file</strong></li> </ul> <p>This feature is crucial for security. Without write-only parameters, sensitive values like passwords would be stored in plaintext in your state files.</p> <p>Here's an example from my fork of the <a href="https://github.com/drewmullen/terraform-provider-aap/blob/main/internal/provider/eda_credential_resource.go" rel="noopener noreferrer">Event Drive Ansible (EDA)</a> provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-api-credential"</span> <span class="nx">credential_type_id</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># Write-only: sent to API but NEVER stored in state</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"service-account"</span> <span class="nx">api_token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">api_token</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Design Considerations </h2> <h3> The <code>_version</code> Argument </h3> <p>Since Terraform's statefile does not manage the value of the secret, Terraform requires way to know if the secret must be updated. The standard solution to detecting changes in write-only parameters is to add a companion <code>_version</code> field that users must manually increment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"manual"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">new_password</span> <span class="p">})</span> <span class="c1"># User must increment this to trigger an update</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p><strong>How updates work:</strong></p> <ol> <li>User updates the secret in <code>inputs_wo</code> </li> <li>User manually increments <code>inputs_wo_version</code> </li> <li>Terraform detects the version change and triggers an update</li> <li>The new secret is sent to the API</li> </ol> <p>This works, but it's <strong>not user-friendly</strong>. Users have to remember to:</p> <ul> <li>Increment the version every time they change secrets</li> <li>Track version numbers manually</li> </ul> <h3> Automatic Change Detection </h3> <p>Ideally, users shouldn't need to manage version numbers. They should just update the secret value and Terraform should detect the change automatically. But here's the problem:</p> <p><strong>If <code>inputs_wo</code> is write-only and not in state, how do we detect when it changes?</strong></p> <p>Lucikly, there is a solution: <strong>store a deterministic hash in private state</strong>.</p> <h4> Using Private State and Hashing </h4> <p>Terraform's plugin framework provides <a href="https://developer.hashicorp.com/terraform/plugin/framework/resources/private-state" rel="noopener noreferrer">private state</a> - a place to store provider-managed data that's:</p> <ul> <li>Stored in the state file (so it persists)</li> <li>Not visible to users (doesn't appear in <code>terraform show</code>)</li> <li>Perfect for storing things like hashes</li> </ul> <p>Here's the implementation approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Create operation</span> <span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Create</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">CreateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">CreateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="c">// Calculate SHA-256 hash of the inputs</span> <span class="n">inputsHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="c">// Store hash in private state (JSON-wrapped for validity)</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">inputsHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="c">// Set auto-managed version</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="c">// ... send to API and save state ...</span> <span class="p">}</span> <span class="k">func</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">inputs</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">sha256</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">h</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">inputs</span><span class="p">))</span> <span class="k">return</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">h</span><span class="o">.</span><span class="n">Sum</span><span class="p">(</span><span class="no">nil</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>In the Update operation, we compare hashes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Update</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">UpdateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">UpdateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span><span class="p">,</span> <span class="n">state</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">State</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">)</span> <span class="c">// Get stored hash from private state</span> <span class="n">oldHashBytes</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">req</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">GetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">)</span> <span class="k">var</span> <span class="n">hashWrapper</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Hash</span> <span class="kt">string</span> <span class="s">`json:"hash"`</span> <span class="p">}</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">oldHashBytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">hashWrapper</span><span class="p">)</span> <span class="n">oldHash</span> <span class="o">:=</span> <span class="n">hashWrapper</span><span class="o">.</span><span class="n">Hash</span> <span class="c">// Calculate new hash</span> <span class="n">newHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="k">if</span> <span class="n">newHash</span> <span class="o">!=</span> <span class="n">oldHash</span> <span class="p">{</span> <span class="c">// Inputs changed! Auto-increment version</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">ValueInt64</span><span class="p">()</span> <span class="o">+</span> <span class="m">1</span><span class="p">)</span> <span class="c">// Update stored hash</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">newHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// No change, keep version as-is</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="p">}</span> <span class="c">// ... send to API and save state ...</span> <span class="p">}</span> </code></pre> </div> <p>Now users can just update the secret and Terraform automatically detects it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"auto"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">new_password</span> <span class="c1"># Just change this!</span> <span class="p">})</span> <span class="c1"># inputs_wo_version auto-increments (computed field)</span> <span class="p">}</span> </code></pre> </div> <h2> Best of both worlds </h2> <p>While automatic detection is convenient, some users may not want a hash of their secrets stored in state - even if it's SHA-256 and in private state. The hash is still derived from the secret value.</p> <p><strong>Solution: Support both modes</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Create</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">CreateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">CreateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="k">var</span> <span class="n">versionToSet</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64</span> <span class="k">if</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="o">||</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsUnknown</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Auto-managed mode: store hash</span> <span class="n">inputsHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">inputsHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="n">versionToSet</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Manual mode: user provided version, don't store hash</span> <span class="n">versionToSet</span> <span class="o">=</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="p">}</span> <span class="c">// ... rest of create logic ...</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">versionToSet</span> <span class="p">}</span> </code></pre> </div> <p>Schema definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="s">"inputs_wo_version"</span><span class="o">:</span> <span class="n">schema</span><span class="o">.</span><span class="n">Int64Attribute</span><span class="p">{</span> <span class="n">Optional</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Computed</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">PlanModifiers</span><span class="o">:</span> <span class="p">[]</span><span class="n">planmodifier</span><span class="o">.</span><span class="n">Int64</span><span class="p">{</span> <span class="n">int64planmodifier</span><span class="o">.</span><span class="n">UseStateForUnknown</span><span class="p">(),</span> <span class="p">},</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"Version number for managing credential updates. "</span> <span class="o">+</span> <span class="s">"If not set, the provider will automatically detect changes to inputs_wo "</span> <span class="o">+</span> <span class="s">"using a SHA-256 hash stored in private state. If set manually, you "</span> <span class="o">+</span> <span class="s">"control when the credential is updated by incrementing this value yourself."</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Users can choose their preferred mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Auto-managed (default)</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"auto"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"auto-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pwd</span> <span class="p">})</span> <span class="c1"># version auto-increments</span> <span class="p">}</span> <span class="c1"># Manual control</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"manual"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"manual-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pwd</span> <span class="p">})</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># I control this</span> <span class="p">}</span> </code></pre> </div> <h2> Handling Mode Switching </h2> <p>Unfortunately, a weakness of this design is that its not possible to "switch modes". Why?</p> <ul> <li> <strong>Auto → Manual</strong>: If a user suddenly sets <code>inputs_wo_version</code>, do we remove the hash? What if they're just trying to force an update?</li> <li> <strong>Manual → Auto</strong>: We'd need to create a hash, but we can't compare it to the old inputs (they're write-only and not in state), so we can't tell if inputs changed during the transition</li> </ul> <p>Even if we could find a way to handle this, the logic in your resource becomes complex and error-prone.</p> <p><strong>Better approach: Prevent mode switching</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Update</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">UpdateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">UpdateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Determine current mode from private state</span> <span class="n">oldHashBytes</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">req</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">GetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">)</span> <span class="n">wasAutoManaged</span> <span class="o">:=</span> <span class="n">oldHashBytes</span> <span class="o">!=</span> <span class="no">nil</span> <span class="c">// Determine desired mode from config</span> <span class="k">var</span> <span class="n">configModel</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Config</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">configModel</span><span class="p">)</span> <span class="n">isNowManual</span> <span class="o">:=</span> <span class="o">!</span><span class="n">configModel</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">configModel</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsUnknown</span><span class="p">()</span> <span class="k">var</span> <span class="n">state</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">State</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">)</span> <span class="n">wasManual</span> <span class="o">:=</span> <span class="o">!</span><span class="n">wasAutoManaged</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="c">// Prevent mode switching</span> <span class="k">if</span> <span class="n">wasAutoManaged</span> <span class="o">&amp;&amp;</span> <span class="n">isNowManual</span> <span class="p">{</span> <span class="n">resp</span><span class="o">.</span><span class="n">Diagnostics</span><span class="o">.</span><span class="n">AddError</span><span class="p">(</span> <span class="s">"Cannot switch from auto-managed to manual version management"</span><span class="p">,</span> <span class="s">"The inputs_wo_version field was previously auto-managed. Once auto-managed, "</span><span class="o">+</span> <span class="s">"it cannot be switched to manual mode. If you need to manually control the version, "</span><span class="o">+</span> <span class="s">"you must recreate the resource with inputs_wo_version set from the start."</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">wasManual</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">isNowManual</span> <span class="p">{</span> <span class="n">resp</span><span class="o">.</span><span class="n">Diagnostics</span><span class="o">.</span><span class="n">AddError</span><span class="p">(</span> <span class="s">"Cannot switch from manual to auto-managed version management"</span><span class="p">,</span> <span class="s">"The inputs_wo_version field was previously manually managed. Once manually managed, "</span><span class="o">+</span> <span class="s">"it cannot be switched to auto mode. If you need auto-managed version control, "</span><span class="o">+</span> <span class="s">"you must recreate the resource without setting inputs_wo_version."</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// ... rest of update logic for the chosen mode ...</span> <span class="p">}</span> </code></pre> </div> <p>This gives users a clear error message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Cannot switch from auto-managed to manual version management The inputs_wo_version field was previously auto-managed. Once auto-managed, it cannot be switched to manual mode. If you need to manually control the version, you must recreate the resource with inputs_wo_version set from the start. </code></pre> </div> <h2> Key Takeaways </h2> <p>When implementing write-only parameters in Terraform providers:</p> <ol> <li> <strong>Use private state for hashes</strong> - It's stored but not visible to users</li> <li> <strong>Support both auto and manual modes</strong> - Give users choice for their security preferences</li> </ol> <p>The complete implementation provides a great user experience while respecting privacy concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Most users: auto-managed, no version to track</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"api"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"api-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">token</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Privacy-conscious users: manual control, no hash stored</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"secure"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"secure-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">token</span> <span class="p">})</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>Both approaches are valid. Both are clear. And switching between them requires a resource recreation, which is easy to communicate and reason about.</p> <p><em>Have you implemented write-only parameters in your Terraform provider? What challenges did you face? Let me know in the comments!</em></p> terraform go infrastructure devops drewmullen Fri, 27 Jun 2025 14:10:43 +0000 https://dev.to/drewmullen/making-terraform-workspaces-in-the-same-project-2nhd https://dev.to/drewmullen/making-terraform-workspaces-in-the-same-project-2nhd <p>I am working on a artifact for helping TFE users provide some self service (to be unveiled soon!). One of the things I needed to do was provide a repeatable way to have a tfe workspace create workspaces in the same project. At first I thought I'd need a new data source for this since the tfe data sources require <code>organization</code> and at the very least.</p> <p>Turns out I can do it today with some magic <a href="https://developer.hashicorp.com/terraform/cloud-docs/run/run-environment" rel="noopener noreferrer">runtime env vars</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"TFC_WORKSPACE_SLUG"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"TFC_PROJECT_ID"</span> <span class="p">{}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">org_name</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span><span class="nx">var</span><span class="p">.</span><span class="nx">TFC_WORKSPACE_SLUG</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"tfe_workspace"</span> <span class="s2">"ws"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"new-ws"</span> <span class="nx">organization</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">org_name</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">TFC_PROJECT_ID</span> <span class="p">}</span> </code></pre> </div> <p>Executing that code in a TFE workspace will let you create workspaces without knowing the organization name or project! Niche but pretty nifty!</p> terraform hcptf tfc tfe drewmullen Wed, 12 Feb 2025 15:55:56 +0000 https://dev.to/drewmullen/setting-a-multi-line-variable-as-an-env-in-terraform-cloud-28b1 https://dev.to/drewmullen/setting-a-multi-line-variable-as-an-env-in-terraform-cloud-28b1 <p>In this post I will describe the exploration I did after running into a problem trying to setup temporary auth to my kubernetes cluster with Terraform. I will first describe the problem(s) and several ways to solve them.</p> <h2> Preamble </h2> <p>I auth to my homelab k8s cluster using PEM keys. Being a long time Terraform user I almost always auth to a provider using environment variables. This allows me to decouple auth from the HCL, prevent secrets from getting into the statefile, and often allows completely avoiding defining a particular provider block, relying on the <a href="https://developer.hashicorp.com/terraform/language/providers/configuration#provider-configuration-1" rel="noopener noreferrer">"empty default configuration"</a>.</p> <p>Terraform Cloud (TFC) (recently rebranded to HCP TF) allows setting variables outside of the code and in the web ui instead (WS Vars). You can set WS Vars as either type <code>terraform</code> or type <code>env</code>. Type <code>terraform</code> behaves exactly like setting <code>-var myname=drew</code>. Only problem is that type <code>env</code> vars cannot be multi-line which breaks PEM validity.</p> <h2> Solutions </h2> <h3> Ephemeral Variables! </h3> <p>Starting Terraform v1.10 HashiCorp introduced ephemeral resource types as well as <a href="https://developer.hashicorp.com/terraform/language/values/variables#exclude-values-from-state" rel="noopener noreferrer">ephemeral variables</a>. This allows me to set the PEM in a WS Var type <code>terraform</code> but not expose to the statefile. It does require me to hardcode the provider version and auth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"kube_client_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Private key data for authenticating to k8s."</span> <span class="nx">ephemeral</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">client_certificate</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kube_client_certificate</span> <span class="nx">client_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kube_client_key</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydf6ysf9larzhzbj04nd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydf6ysf9larzhzbj04nd.png" alt="Image description" width="800" height="102"></a></p> <h3> Base64 &amp; TF_VAR_ </h3> <p>You can pass the multi-line content base64 encoded then leverage terraform's <code>base64decode()</code> function in a <a href="https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_var_name" rel="noopener noreferrer">TF_VAR_</a>. This allows using an env variable but still requires hardcoding the auth. This solution doesn't make much sense for me but it is an option<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">client_key</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">kubekey</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nle8evnr7o8e8z2rw0p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nle8evnr7o8e8z2rw0p.png" alt="Image description" width="800" height="494"></a></p> <h3> Dynamic K8s Access </h3> <p>You can setup a trust between TFC and your k8s cluster. This is my end game but on the back burner while I figure out how I plan to organize somethings</p> <p>Doc Link: <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration" rel="noopener noreferrer">https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration</a></p> <h3> E1it3 Hax </h3> <p>This last option is totally unexpected but actually quite interesting. Turns out that part of TFC's implementation is that WS Vars that are type <code>terraform</code> are also written to agents as environment variables. This means that you can create a WS Var in TFC that matches the naming convention of the expected provider env var and it will still work. This does not require you to create Terraform HCL for the vars but it does surface a warning. You can suppress the warning by providing a empty variable with the same name and NOT defining it in the provider block.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6uqpsqk00ss8ost0uzu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6uqpsqk00ss8ost0uzu.png" alt="Image description" width="800" height="83"></a></p> <p>To suppress the warning just insert a variable with the corresponding name and a default value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"KUBE_CLIENT_KEY_DATA"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> </code></pre> </div> <h2> Salutation </h2> <p>I hope this is helpful to you. Choose the solution that fits your use-case best!</p> drewmullen Tue, 21 Jan 2025 18:32:07 +0000 https://dev.to/drewmullen/deploy-cloudflare-tunnels-with-terraform-kubernetes-fh7 https://dev.to/drewmullen/deploy-cloudflare-tunnels-with-terraform-kubernetes-fh7 <p>This blog will give you a brief overview for exposing services from a private network to the public network using zero trust tool, CloudFlare Zero Trust Tunnels. They have a generous free tier that you can leverage. <strong>Please note</strong> that this post does not encompass a fully prescriptive set of security best practices, merely it gets the setup working. Getting this right took me longer than I expected. Hopefully its helpful to you.</p> <p>Due to to my homelab setup, namespaces are created by ArgoCD which kicks off ahead of terraform apply. You may need to make a namespace <code>cloudflared</code>.</p> <h3> Access </h3> <p>Based on the guide from <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/" rel="noopener noreferrer">cloudflares docs</a> you'll need to create a API token:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xjrky3tav51clwpw1zy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xjrky3tav51clwpw1zy.png" alt="Image description" width="749" height="273"></a></p> <p><em>Note: When creating your api token know that "Cloudflare Tunnel" <strong>is not the same thing</strong> as Zero Trust in their permissions. This was confusing to me because tunnels are now named "zero trust tunnels". For the sake of permissions make sure you provider "Cloudflare Tunnel: Edit".</em></p> <h3> Terraform </h3> <p>The following code deploys a single tunnel and sets up DNS records for all sites indicated in "services". TLS verify is disabled below so update it if you want.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"cloudflare_zone_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Zone ID for your domain"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cloudflare_account_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Account ID for your Cloudflare account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cloudflare_email"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email address for your Cloudflare account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"services"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Values for the services to be exposed via Cloudflare Tunnel"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">hostname</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># public domain name. ex: "service.example.com"</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># private service endpoint. ex: service.apps.internaldomain.com</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cf_tunnel_secret</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"AccountTag"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span><span class="k">}</span><span class="s2">"</span><span class="p">,</span> <span class="s2">"TunnelSecret"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">base64sha256</span><span class="p">(</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">tunnel_secret</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span><span class="k">}</span><span class="s2">"</span><span class="p">,</span> <span class="s2">"TunnelID"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="nx">ingress_rules</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">service</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">services</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">hostname</span> <span class="p">=</span> <span class="nx">service</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">origin_request</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">no_tls_verify</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">service</span><span class="p">.</span><span class="nx">service</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"random_password"</span> <span class="s2">"tunnel_secret"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">64</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_zero_trust_tunnel_cloudflared"</span> <span class="s2">"homelab"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"homelab-tunnel"</span> <span class="nx">config_src</span> <span class="p">=</span> <span class="s2">"cloudflare"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span> <span class="nx">tunnel_secret</span> <span class="p">=</span> <span class="nx">base64sha256</span><span class="p">(</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">tunnel_secret</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_zero_trust_tunnel_cloudflared_config"</span> <span class="s2">"homelab"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span> <span class="nx">tunnel_id</span> <span class="p">=</span> <span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">ingress_rules</span><span class="p">,</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">origin_request</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">connect_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">keep_alive_connections</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">keep_alive_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">tcp_keep_alive</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">tls_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"http_status:503"</span> <span class="p">},</span> <span class="p">])</span> <span class="nx">warp_routing</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"cloudflare_credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tunnel-credentials"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"cloudflared"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"credentials.json"</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">cf_tunnel_secret</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_dns_record"</span> <span class="s2">"vault_homelab_tunnel"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">services</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_zone_id</span> <span class="nx">comment</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2"> tunnel record"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">"."</span><span class="p">,</span> <span class="p">[</span><span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="s2">"cfargotunnel.com"</span><span class="p">])</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">proxied</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="p">}</span> </code></pre> </div> <h3> Kubernetes manifest: </h3> <p>In my setup, k8s resources are mostly deployed via ArgoCD. Below, this manifest deploys cloudflared pod and connects it to the tunnel <code>homelab-tunnel</code> from your account. It authenticates via the public cloudflare API using credentials from a kubernetes secret <code>tunnel-credentials</code> which is created by Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">replicas</span><span class="pi">:</span> <span class="s">1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">image</span><span class="pi">:</span> <span class="s">cloudflare/cloudflared:latest</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">tunnel</span> <span class="pi">-</span> <span class="s">--credentials-file</span> <span class="pi">-</span> <span class="s">/etc/cloudflared/creds/credentials.json</span> <span class="pi">-</span> <span class="s">--protocol</span> <span class="c1"># https://github.com/cloudflare/cloudflared/issues/1176#issuecomment-2404546711</span> <span class="pi">-</span> <span class="s">http2</span> <span class="c1"># didnt seem to need the sysctl changes</span> <span class="pi">-</span> <span class="s">--metrics</span> <span class="pi">-</span> <span class="s">0.0.0.0:2000</span> <span class="pi">-</span> <span class="s">run</span> <span class="pi">-</span> <span class="s">homelab-tunnel</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">1</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">creds</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/cloudflared/creds</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">creds</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">tunnel-credentials</span> </code></pre> </div> <p><em>Disclaimer: The following code stores the secret to joining your tunnel in your terraform statefile in 2 locations <code>random_password.tunnel_secret</code> and <code>cloudflare_zero_trust_tunnel_cloudflared.homelab</code>. With 1.10 we have ephemeral resources which will remove that but the random provider <a href="https://github.com/hashicorp/terraform-provider-random/pull/625" rel="noopener noreferrer">doesnt have it yet</a>. Hopefully it will be <a href="https://github.com/cloudflare/terraform-provider-cloudflare/issues/4921" rel="noopener noreferrer">removed from tunnel resource once available</a>.</em></p> cloudflare tunnels terraform k8s drewmullen Mon, 02 Dec 2024 20:21:58 +0000 https://dev.to/drewmullen/terraform-state-with-native-s3-locking-1fck https://dev.to/drewmullen/terraform-state-with-native-s3-locking-1fck <p>Terraform has many popular mechanisms for storing its state file. While I have grown quite fond of <a href="https://developer.hashicorp.com/terraform/tutorials/cloud-get-started/cloud-sign-up" rel="noopener noreferrer">HCP Terraform</a>, there are occasional scenarios where I want to use <a href="https://developer.hashicorp.com/terraform/language/backend/s3" rel="noopener noreferrer">S3 backend</a> to hold my Terraform state files. </p> <p>Best practice when sharing a state file among multiple parties is to have a locking mechanism, to avoid concurrent writes from corrupting the Terraform state. This prevents 2 parties from clobbering each other if they happen to be working on the same infrastructure at the same time.</p> <p>Starting in <a href="https://github.com/hashicorp/terraform/releases/tag/v1.10.0" rel="noopener noreferrer">Terraform v1.10</a> the S3 backend features S3 native state locking. Prior to this feature state file lock setups required access to a DynamoDB table - which can be completely foregone now!</p> <h2> How? </h2> <p>Lets start by creating a S3 bucket that has the required settings:</p> <p><em>Note: It is common to create the S3 state file bucket outside of Terraform. However, you <strong>can</strong> create the bucket with Terraform, its just generally not advised. Example shell commands below</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ BUCKET_NAME</span><span class="o">=</span><span class="s2">"&lt;your bucket name&gt;"</span> <span class="nv">$ REGION</span><span class="o">=</span><span class="s2">"us-east-1"</span> <span class="nv">$ </span>aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="nv">$ </span>aws s3api put-bucket-versioning <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled </code></pre> </div> <h2> Using the bucket </h2> <p>Create a new <code>backend.tf</code> file (or add this block to an existing .tf file). Make sure you fill in the bucket name!</p> <p>Below we use the parameter <code>use_lockfile</code> which is an experimental feature that enforces using the s3 buckets lock file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="err">&lt;</span><span class="nx">bucket</span> <span class="nx">name</span><span class="err">&gt;</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"backend/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">use_lockfile</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Wrapping up </h2> <p>For a deep dive on this feature I recommend you read through the <a href="https://github.com/hashicorp/terraform/pull/35661" rel="noopener noreferrer">initial PR</a> by <a class="mentioned-user" href="https://dev.to/bschaatsbergen">@bschaatsbergen</a> who wrote this great feature</p> <h2> Optional: Create bucket using Terraform </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bucket_name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">backend</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Edited 12/19 to remove ObjectLock which is not required. Kudos to <a class="mentioned-user" href="https://dev.to/philippe_robitaille_f3908">@philippe_robitaille_f3908</a></strong></p> terraform aws s3lockfile drewmullen Thu, 16 Nov 2023 15:59:07 +0000 https://dev.to/drewmullen/aws-creds-in-the-cli-via-sso-122i https://dev.to/drewmullen/aws-creds-in-the-cli-via-sso-122i <h2> Problem </h2> <p>Do you often need credentials in your AWS CLI? </p> <p>Are you overly familiar with this screen (AWS SSO start page)?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllw0whs9617785ohgrqa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllw0whs9617785ohgrqa.png" alt="Image description" width="560" height="572"></a></p> <p>If you do not have AWS SSO setup, check out the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html" rel="noopener noreferrer">AWS documentation</a> then come back to this post!</p> <h2> A better credential experience </h2> <p>Yesterday I learned from my colleague <a class="mentioned-user" href="https://dev.to/danquack">@danquack</a> a fun feature built into the AWS CLI. If you already have AWS SSO configured for your Org and are using the GUI to get credentials, follow this post and you can expect an improved AWS CLI credential management experience. </p> <p>My new, simpler process to get temporary creds from SSO:</p> <h4> Specify which profile I want and login: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>&lt;<span class="o">&gt;</span> <span class="nv">$ </span>aws sso login </code></pre> </div> <h4> Confirm the authorization request in my browser: </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8kqsydxrgml5jw5km8e5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8kqsydxrgml5jw5km8e5.png" alt="Image description" width="800" height="1122"></a></p> <p>Boom! Now my CLI has usable temporary credentials!</p> <h2> Setup </h2> <p>This setup is honestly extremely simple. AWS provides a guided CLI wizard and ill show the examples below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws configure sso SSO session name <span class="o">(</span>Recommended<span class="o">)</span>: WARNING: Configuring using legacy format <span class="o">(</span>e.g. without an SSO session<span class="o">)</span><span class="nb">.</span> Consider re-running <span class="s2">"configure sso"</span> <span class="nb">command </span>and providing a session name. SSO start URL <span class="o">[</span>https://example.awsapps.com/start#/]: SSO region <span class="o">[</span>us-east-1]: There are 2 AWS accounts available to you. <span class="o">&gt;</span> DeveloperAccount, developer-account-admin@example.com <span class="o">(</span>123456789011<span class="o">)</span> ProductionAccount, production-account-admin@example.com <span class="o">(</span>123456789022<span class="o">)</span> Using the account ID 123456789011 The only role available to you is: AdministratorAccess Using the role name <span class="s2">"AdministratorAccess"</span> CLI default client Region <span class="o">[</span>us-east-1]: us-east-2 CLI default output format <span class="o">[</span>None]: CLI profile name <span class="o">[</span>AdministratorAccess-&lt;<span class="o">&gt;]</span>: providerdev </code></pre> </div> <ul> <li>There are 2 questions regarding region. The first is the region SSO is setup in. The second is the default region you want your CLI setup to use.</li> <li>Setting a profile name <code>providerdev</code> is now the name ill set for <code>export AWS_PROFILE=providerdev</code> </li> </ul> <p>Once that is complete you can see the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="nt">-p</span> ~/.aws/config <span class="o">[</span>profile providerdev] sso_start_url <span class="o">=</span> https://example.awsapps.com/start#/ sso_region <span class="o">=</span> us-east-1 sso_account_id <span class="o">=</span> 123456789011 sso_role_name <span class="o">=</span> AdministratorAccess region <span class="o">=</span> us-east-2 </code></pre> </div> <h2> Summary </h2> <p>AWS SSO is a great service for providing temporary credentials to known identities in your organization. The new command <code>aws sso login</code> will help you and your engineers get credentials fast, easy, and securely!</p> aws sso credentials drewmullen Thu, 12 Jan 2023 14:06:56 +0000 https://dev.to/drewmullen/implement-rollback-with-terraform-5f7d https://dev.to/drewmullen/implement-rollback-with-terraform-5f7d <p>There's no magic here, friends.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ terraform apply # fails $ git checkout HEAD~ # checkout the prior commit $ terraform apply </code></pre> </div> <p>You can checkout a specific commit sha with:<br> <code>git checkout &lt;commit sha&gt;</code></p> <p>I don't recommend using this with any stateful resource types... RDS, EKS, etc. </p> terraform rollback cloudformation drewmullen Fri, 04 Mar 2022 18:57:38 +0000 https://dev.to/drewmullen/terraform-variable-validation-with-samples-1ank https://dev.to/drewmullen/terraform-variable-validation-with-samples-1ank <p>Terraform allows you to validate variable input in using <a href="https://www.terraform.io/language/values/variables#custom-validation-rules" rel="noopener noreferrer">validation blocks</a> using custom <code>condition</code> and yielding a custom <code>error_message</code>. Below are some examples:</p> <p><em><strong>Note:</strong> Please share your common validation rules you've written and I'll update here</em></p> <p><strong>Update</strong>: Please check out this awesome project by <a class="mentioned-user" href="https://dev.to/bschaatsbergen">@bschaatsbergen</a> that provides built in functions for assertions: <a href="https://github.com/bschaatsbergen/terraform-provider-assert" rel="noopener noreferrer">https://github.com/bschaatsbergen/terraform-provider-assert</a></p> <h2> Strings </h2> <h3> String may not contain character </h3> <p>Scenario: String may not contain a <code>/</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_may_not_contain"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Value cannot contain a </span><span class="se">\"</span><span class="s2">/</span><span class="se">\"</span><span class="s2">."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="err">!</span><span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_may_not_contain</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> String with valid options </h3> <p>Scenario: Here we have a string and we only allow to values "approved" or "disapproved". I show 2 examples of the same check using different methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_only_valid_options"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"approved"</span> <span class="c1"># using regex</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^(approved|disapproved)$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_only_valid_options</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid input, options: </span><span class="se">\"</span><span class="s2">approved</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">disapproved</span><span class="se">\"</span><span class="s2">."</span> <span class="p">}</span> <span class="c1"># using contains()</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"approved"</span><span class="p">,</span> <span class="s2">"disapproved"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_only_valid_options</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid input, options: </span><span class="se">\"</span><span class="s2">approved</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">disapproved</span><span class="se">\"</span><span class="s2">."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Valid AWS Region Name </h3> <p>Scenario: string must be like AWS region<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_like_aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"[a-z][a-z]-[a-z]+-[1-9]"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_like_aws_region</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid AWS Region names."</span> <span class="p">}</span> </code></pre> </div> <h3> Valid IAM Role Name </h3> <p>Scenario: Your string must be a valid IAM role name<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_valid_iam_role_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"MyCoolRole"</span> <span class="c1"># arn example: "arn:aws:iam::123456789012:role/MyCoolRole"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-zA-Z][a-zA-Z</span><span class="err">\\</span><span class="s2">-</span><span class="err">\\</span><span class="s2">_0-9]{1,64}$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_valid_iam_role_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"IAM role name must start with letter, only contain letters, numbers, dashes, or underscores and must be between 1 and 64 characters."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Valid IPv4 CIDR </h3> <p>Scenario: Your string input needs to look like a IPv4 CIDR. Thank you <a class="mentioned-user" href="https://dev.to/entscheidungsproblem">@entscheidungsproblem</a> for <a href="https://dev.to/entscheidungsproblem/comment/21moa">reporting</a> and providing a fix for <code>/32</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_like_valid_ipv4_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">string_like_valid_ipv4_cidr</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid IPv4 CIDR."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Semantic Version </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"semv1"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.57.123"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid semantic version."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)</span><span class="err">\\</span><span class="s2">.(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)</span><span class="err">\\</span><span class="s2">.(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)(?:-((?:0|[1-9]</span><span class="err">\\</span><span class="s2">d*|</span><span class="err">\\</span><span class="s2">d*[a-zA-Z-][0-9a-zA-Z-]*)(?:</span><span class="err">\\</span><span class="s2">.(?:0|[1-9]</span><span class="err">\\</span><span class="s2">d*|</span><span class="err">\\</span><span class="s2">d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:</span><span class="err">\\</span><span class="s2">+([0-9a-zA-Z-]+(?:</span><span class="err">\\</span><span class="s2">.[0-9a-zA-Z-]+)*))?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">semv1</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Maps </h2> <h3> Map with optional conflicting keys </h3> <p>Scenario: You have a map variable and 2 keys conflict, in this case, you can only set either <code>cidr</code> or <code>netmask</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"only_one_optional_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">cidrs</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="nx">netmask</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">)</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="p">}</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Can only specify either </span><span class="se">\"</span><span class="s2">cidrs</span><span class="se">\"</span><span class="s2">, or </span><span class="se">\"</span><span class="s2">netmask</span><span class="se">\"</span><span class="s2">."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">setintersection</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">only_one_optional_key</span><span class="p">),</span> <span class="p">[</span><span class="s2">"cidrs"</span><span class="p">,</span> <span class="s2">"netmask"</span><span class="p">]))</span> <span class="p">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Numbers </h3> <h3> Number within a range </h3> <p>Scenario: number must be between 1-16. <br> Thanks: <a class="mentioned-user" href="https://dev.to/tlindsay42">@tlindsay42</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"num_in_range"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="err">&gt;</span><span class="p">=</span> <span class="mi">1</span> <span class="err">&amp;&amp;</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="err">&lt;</span><span class="p">=</span> <span class="mi">16</span> <span class="err">&amp;&amp;</span> <span class="nx">floor</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span><span class="p">)</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Accepted values: 1-16."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you liked this post, please like. If you think it would be helpful in the future as a reference, please bookmark!</p> terraform linting drewmullen Wed, 02 Feb 2022 20:03:11 +0000 https://dev.to/drewmullen/terraform-boilerplate-common-awsami-searches-5hcg https://dev.to/drewmullen/terraform-boilerplate-common-awsami-searches-5hcg <p>Searching for AMI's is not fun. Here are some you might be searching for:</p> <h3> Amazon Linux 2 (latest): </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"amazon_linux_2"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amzn2-ami-hvm-*-x86_64-ebs"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Graviton 2 </h3> <h3> RHEL 7 (latest) </h3> <p>Thanks: <a class="mentioned-user" href="https://dev.to/wsarwariamzn">@wsarwariamzn</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"rhel_7"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"309956199498"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"RHEL-7.9_HVM_GA*-x86_64-0-Hourly2-GP2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Please send me more and I'll include them in this post!</p> terraform boilerplate aws drewmullen Wed, 29 Dec 2021 19:31:07 +0000 https://dev.to/drewmullen/terraform-provider-block-for-every-aws-region-1dkp https://dev.to/drewmullen/terraform-provider-block-for-every-aws-region-1dkp <p>Boilerplate HCL for your module writing needs! Did I miss any?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{}</span> <span class="c1">#### NORTHERN VIRGINIA : us-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1">#### OHIO : us-east-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-east-2"</span> <span class="p">}</span> <span class="c1">#### NORTHERN CALIFORNIA : us-west-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-west-1"</span> <span class="p">}</span> <span class="c1">#### OREGON : us-west-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="p">}</span> <span class="c1">#### CANADA : ca-central-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ca-central-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ca-central-1"</span> <span class="p">}</span> <span class="c1">#### MUMBAI : ap-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="p">}</span> <span class="c1">//#### OSAKA_LOCAL : ap-northeast-3</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-3"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-3"</span> <span class="p">}</span> <span class="c1">#### SEOUL : ap-northeast-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-2"</span> <span class="p">}</span> <span class="c1">#### SINGAPORE : ap-southeast-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-southeast-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-southeast-1"</span> <span class="p">}</span> <span class="c1">#### SYDNEY : ap-southeast-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-southeast-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-southeast-2"</span> <span class="p">}</span> <span class="c1">#### TOKYO : ap-northeast-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-1"</span> <span class="p">}</span> <span class="c1">#### FRANKFHURT : eu-central-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> <span class="c1">#### IRELAND : eu-west-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="c1">#### LONDON : eu-west-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-2"</span> <span class="p">}</span> <span class="c1">#### MILAN : eu-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-south-1"</span> <span class="p">}</span> <span class="c1">#### PARIS : eu-west-3</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-3"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-3"</span> <span class="p">}</span> <span class="c1">#### STOCKHOLM : eu-north-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="p">}</span> <span class="c1">#### SAO PAULO : sa-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"sa-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"sa-east-1"</span> <span class="p">}</span> </code></pre> </div> <p>Including these but I had trouble if I included<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">//#### SOUTH AFRICA : af-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"af-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"af-south-1"</span> <span class="p">}</span> <span class="c1">//#### HONG KONG : ap-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-east-1"</span> <span class="p">}</span> <span class="c1">//#### MIDDLE EAST: me-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"me-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"me-south-1"</span> <span class="p">}</span> </code></pre> </div> drewmullen Wed, 01 Dec 2021 19:34:02 +0000 https://dev.to/drewmullen/terraform-compare-lists-of-maps-3l1c https://dev.to/drewmullen/terraform-compare-lists-of-maps-3l1c <p>Say you want to compare 2 lists with n maps in them. You're not sure, in fact you're certain, that the order cannot be relied upon. How can do do this?</p> <p>The term is <a href="https://www.terraform.io/docs/language/functions/setsubtract.html#set-difference-symmetric-difference-" rel="noopener noreferrer"><em>Symmetric Difference</em></a>. I figured this out as part of my delve into <a href="https://www.terraform.io/docs/language/modules/testing-experiment.html" rel="noopener noreferrer">terraform test</a>. Here's how you can do it:</p> <p>main.tf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">tag_set_1</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"workspace"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"default"</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"terraform"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"true"</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"environment"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"drew"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">tag_set_2</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"workspace"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"default"</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"environment"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"drew"</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"Key"</span><span class="err">:</span> <span class="s2">"terraform"</span><span class="p">,</span> <span class="s2">"Value"</span><span class="err">:</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="k">output</span> <span class="nx">equality_check</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">setunion</span><span class="p">(</span><span class="nx">setsubtract</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">tag_set_2</span><span class="p">,</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tag_set_1</span><span class="p">),</span> <span class="nx">setsubtract</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">tag_set_1</span><span class="p">,</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tag_set_2</span><span class="p">)))</span> <span class="p">==</span> <span class="mi">0</span> <span class="p">}</span> </code></pre> </div> <p>Try it out!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ terraform apply Outputs: equality_check = true </code></pre> </div> <p>Try it out locally using <code>terraform console</code> (instead of <code>terraform apply</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ echo 'length(setunion(setsubtract(local.tag_set_2, local.tag_set_1), setsubtract(local.tag_set_1, local.tag_set_2))) == 0' | terraform console true </code></pre> </div> terraform drewmullen Fri, 12 Nov 2021 19:43:52 +0000 https://dev.to/drewmullen/vscode-terraform-provider-development-setup-debugging-6bn https://dev.to/drewmullen/vscode-terraform-provider-development-setup-debugging-6bn <p><em>Edit May 2022: This guide now reflects allowing resolution of the service via relative file paths. Previously you had to specify the service via environment variable <code>PKG_NAME=&lt;specific aws service&gt;</code>, now instead you set <code>"env": {"PKG_NAME": "${relativeFileDirname}"}</code> in <code>launch.json</code> and the service is automagically resolved. Thanks to <a class="mentioned-user" href="https://dev.to/gdavison">@gdavison</a> for solving this!</em> </p> <p>To setup debugging while writing to the AWS Terraform Provider, create a <code>.vscode</code> dir in the root of your clone <code>terraform-provider-aws</code> local repo then create a <code>launch.json</code> &amp; <code>private.env</code> inside that <code>.vscode</code> directory.</p> <h2> Setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ git clone git@github.com:hashicorp/terraform-provider-aws.git $ mkdir terraform-provider-aws/.vscode </code></pre> </div> <h3> Create launch.json </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ cat &lt;&lt; 'EOF' &gt; terraform-provider-aws/.vscode/launch.json { // Use IntelliSense to learn about possible attributes. // Hover to view descriptions of existing attributes. // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 "version": "0.2.0", "configurations": [ { "name": "Launch a test function", "type": "go", "request": "launch", "mode": "auto", "program": "${fileDirname}", "env": {"PKG_NAME": "${relativeFileDirname}"}, "args": [ "-test.v", "-test.run", "^${selectedText}$" ], "showLog": true, "envFile": "${workspaceFolder}/.vscode/private.env" } ] } EOF </code></pre> </div> <h3> Create private.env </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ cat &lt;&lt; 'EOF' &gt; terraform-provider-aws/.vscode/private.env TF_ACC=1 TF_LOG=INFO GOFLAGS='-mod=readonly' EOF </code></pre> </div> <h2> Usage </h2> <p>Reload VSCode and source a profile for terraform's acc tests to use. You can do this by either opening vscode from a terminal with a profile set or by using <a href="https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-toolkit-vscode" rel="noopener noreferrer">the AWS Toolkit</a>.</p> <p>Set break-points in your <code>&lt;resource_name&gt;.go</code> file, highlight the test you want to run and click the green "play" button in VSCode debug panel (top left). <em>Note: if you click any other play buttons, it may not work. It must be the debug pane play button that says "launch a function".</em> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flymzqf86zycy28gbpgar.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flymzqf86zycy28gbpgar.png" alt="Image description" width="800" height="295"></a></p> <p>This one!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjpf2e1e202h7li70iaf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjpf2e1e202h7li70iaf.png" alt="Image description" width="212" height="102"></a></p> <p>If you found this helpful, please leave me a like :D It helps with many algorithms including my self esteem calculation</p> terraform aws development debugging