The latest articles on Forem by drewmullen (@drewmullen). https://forem.com/drewmullen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F106743%2Fd9fb915c-8d3d-4bf1-8024-f3308ec9f185.jpeg https://forem.com/drewmullen en drewmullen Fri, 17 Apr 2026 13:49:16 +0000 https://forem.com/drewmullen/migrating-a-terraform-module-to-ephemeral-resources-without-breaking-existing-users-g2o https://forem.com/drewmullen/migrating-a-terraform-module-to-ephemeral-resources-without-breaking-existing-users-g2o <p>Terraform's ephemeral resources are a genuinely useful addition — secrets that are used during an apply but never written to state. </p> <p>If you're a <strong>module maintainer</strong>, adopting ephemerals isn't as simple as swapping one block for another. You have existing users. Their state files already have the old resource tracked. Changing to an ephemeral version of the resource will blow away their managed resource.</p> <p>To illustrate the issue, we'll pretend to be updating a module that generates a TLS private key and stores it in a Vault KV secret. This post documents the problem and a solution with an extra tid-bit that I learned.</p> <h2> The Setup </h2> <p>The original module was straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">.</span><span class="nx">private_key_pem</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The private key ends up in state. Vault KV ends up with a copy. Works fine, but the key is <strong>visible to anyone with state access.</strong></p> <p>The goal: keep this working for existing users, while letting new users opt into ephemeral key generation — where the key is used to write to Vault but is never persisted to state.</p> <h2> The Naive Approach (and Why It Fails) </h2> <p>The obvious move is a variable toggle with a local to abstract the logic away from the resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"use_ephemeral_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">ephemeral</span> <span class="s2">"tls_private_key"</span> <span class="s2">"ephemeral"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">private_key_pem</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">private_key_pem</span> <span class="err">:</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">private_key_pem</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">private_key_pem</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Running this produces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>│ Error: Invalid use of ephemeral value │ │ with vault_kv_secret_v2.legacy, │ on updated.tf line 34, <span class="k">in </span>resource <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span>: │ 34: data_json <span class="o">=</span> jsonencode<span class="o">({</span> private_key <span class="o">=</span> local.private_key_pem <span class="o">})</span> │ │ Ephemeral values are not valid <span class="k">for</span> <span class="s2">"data_json"</span>, because it is not a │ write-only attribute and must be persisted to state. </code></pre> </div> <h3> Why This Happens </h3> <p>The fundamental rule is: <strong>ephemeral values can only flow into write-only attributes</strong>. <code>data_json</code> must be persisted to state, so it can never accept an ephemeral value. That's true whether the ephemeral value arrives directly or through a local.</p> <p>The shared local makes this worse in a subtle way. Terraform's ephemeral taint propagation is <strong>static</strong>, not runtime. Because one branch of the <code>local.private_key_pem</code> conditional references an ephemeral value, <strong>the entire local is marked ephemeral</strong> — regardless of which branch actually executes at runtime. So even if you reasoned "when <code>use_ephemeral_key = false</code>, the local resolves to a non-ephemeral value," Terraform doesn't do branch-aware type narrowing. The local is tainted, and the error fires before it even reaches <code>data_json</code>.</p> <p>The fix is to never route ephemeral and non-ephemeral values through the same expression. <code>vault_kv_secret_v2</code> has two relevant attributes: <code>data_json</code> (regular, persists to state) and <code>data_json_wo</code> (write-only, accepts ephemeral values). Use them conditionally on the same resource, keeping each attribute's expression isolated to its own value source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="kc">null</span> <span class="err">:</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="nx">data_json_wo</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">data_json_wo_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">var</span><span class="p">.</span><span class="nx">secret_version</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>data_json_wo_version</code>:</strong> Terraform never reads back write-only attributes, so it has no way to diff them. Without a version signal, the Vault secret is written on initial create and then never updated — even if the key changes. <code>data_json_wo_version</code> is an integer Terraform does track in state; when it changes, Terraform re-writes the secret. Users increment <code>var.secret_version</code> whenever they want to force a rotation.</p> <p><strong>Why <code>one()</code> instead of <code>[0]</code>:</strong> Both key resources use <code>count</code> — only one is active at a time. Referencing <code>resource[0]</code> when <code>count = 0</code> errors at plan time even when the ternary condition would skip that branch, because Terraform resolves resource instance addresses before evaluating expressions. The splat + <code>one()</code> pattern returns <code>null</code> for an empty collection instead of erroring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">one</span><span class="err">(</span><span class="nx">tls_private_key</span><span class="err">.</span><span class="nx">legacy</span><span class="p">[*]</span><span class="err">.</span><span class="nx">private_key_pem</span><span class="err">)</span> <span class="c1"># null when count = 0, actual value when count = 1</span> </code></pre> </div> <p>The outer ternary ensures that <code>null</code> never reaches <code>jsonencode</code>, so neither attribute ends up with an unexpected <code>{"private_key":null}</code> payload.</p> <p><strong>Rule to internalize:</strong> ephemeral values can only ever terminate at ephemeral attributes (write-only, or ephemeral such as provider blocks). Don't route them through any expression that also serves a non-write-only path.</p> <h2> The Second Problem: <code>moved</code> Blocks </h2> <p>The original module had no <code>count</code> on either resource. Adding <code>count</code> to <code>tls_private_key.legacy</code> changes its state address:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td><code>tls_private_key.legacy</code></td> <td><code>tls_private_key.legacy[0]</code></td> </tr> </tbody> </table></div> <p>Terraform treats these as different resources. Without intervention, it will <strong>destroy</strong> the old address and <strong>create</strong> a new one — generating a brand new private key in the process. For existing users, that's an unannounced key rotation.</p> <p><code>vault_kv_secret_v2.legacy</code> keeps no <code>count</code>, so its address doesn't change and needs no intervention. Only the TLS key resource needs a <code>moved</code> block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This tells Terraform to update the state address in place — no destroy, no create, no key rotation. On the next plan, existing users will see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># tls_private_key.legacy has moved to tls_private_key.legacy[0] </code></pre> </div> <p>Leave the <code>moved</code> block in for at least one release cycle so users who haven't applied yet still get a clean migration. It can be removed in a future major version once the old address no longer exists in any user's state.</p> <h2> The Complete Solution </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"use_ephemeral_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Use ephemeral key generation (key never written to state). New deployments should set true."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"secret_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Increment to trigger a re-write of the Vault secret. Only relevant when use_ephemeral_key = true."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="c1"># Legacy path — key stored in state</span> <span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="c1"># Ephemeral path — key never written to state</span> <span class="nx">ephemeral</span> <span class="s2">"tls_private_key"</span> <span class="s2">"ephemeral"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="kc">null</span> <span class="err">:</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="nx">data_json_wo</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">data_json_wo_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">var</span><span class="p">.</span><span class="nx">secret_version</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <h2> Versioning Strategy </h2> <p>With this in place, the recommended release approach is:</p> <ul> <li> <strong>Current minor version</strong>: ship the toggle with <code>default = false</code>. Existing users are unaffected. New users can opt in with <code>use_ephemeral_key = true</code>.</li> <li> <strong>Next major version</strong>: flip the default to <code>true</code>. Document the change. Users upgrading from the old version need to either set <code>use_ephemeral_key = false</code> explicitly to preserve legacy behavior, or accept that a new key will be generated on their next apply.</li> </ul> <p>The <code>moved</code> blocks handle the state address migration for everyone regardless of which path they're on.</p> automation devops terraform tutorial drewmullen Thu, 16 Apr 2026 19:35:48 +0000 https://forem.com/drewmullen/migrating-a-terraform-module-to-ephemeral-resources-without-breaking-existing-users-l58 https://forem.com/drewmullen/migrating-a-terraform-module-to-ephemeral-resources-without-breaking-existing-users-l58 <p>Terraform's ephemeral resources are a genuinely useful addition — secrets that are used during an apply but never written to state. </p> <p>If you're a <strong>module maintainer</strong>, adopting ephemerals isn't as simple as swapping one block for another. You have existing users. Their state files already have the old resource tracked. Changing to an ephemeral version of the resource will blow away their managed resource.</p> <p>To illustrate the issue, we'll pretend to be updating a module that generates a TLS private key and stores it in a Vault KV secret. This post documents the problem and a solution with an extra tid-bit that I learned.</p> <h2> The Setup </h2> <p>The original module was straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">.</span><span class="nx">private_key_pem</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The private key ends up in state. Vault KV ends up with a copy. Works fine, but the key is <strong>visible to anyone with state access.</strong></p> <p>The goal: keep this working for existing users, while letting new users opt into ephemeral key generation — where the key is used to write to Vault but is never persisted to state.</p> <p>For solution TL;DR see The Complete Solution below</p> <h2> The Naive Approach (and Why It Fails) </h2> <p>The obvious move is a variable toggle with a local to abstract the logic away from the resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"use_ephemeral_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">ephemeral</span> <span class="s2">"tls_private_key"</span> <span class="s2">"ephemeral"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">private_key_pem</span> <span class="p">=</span> <span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">private_key_pem</span> <span class="err">:</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">private_key_pem</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">private_key_pem</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Running this produces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>│ Error: Invalid use of ephemeral value │ │ with vault_kv_secret_v2.legacy, │ on updated.tf line 34, <span class="k">in </span>resource <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span>: │ 34: data_json <span class="o">=</span> jsonencode<span class="o">({</span> private_key <span class="o">=</span> local.private_key_pem <span class="o">})</span> │ │ Ephemeral values are not valid <span class="k">for</span> <span class="s2">"data_json"</span>, because it is not a │ write-only attribute and must be persisted to state. </code></pre> </div> <h3> Why This Happens </h3> <p>The fundamental rule is: <strong>ephemeral values can only flow into write-only attributes</strong>. <code>data_json</code> must be persisted to state, so it can never accept an ephemeral value. That's true whether the ephemeral value arrives directly or through a local.</p> <p>The shared local makes this worse in a subtle way. Terraform's ephemeral taint propagation is <strong>static</strong>, not runtime. Because one branch of the <code>local.private_key_pem</code> conditional references an ephemeral value, <strong>the entire local is marked ephemeral</strong> — regardless of which branch actually executes at runtime. So even if you reasoned "when <code>use_ephemeral_key = false</code>, the local resolves to a non-ephemeral value," Terraform doesn't do branch-aware type narrowing. The local is tainted, and the error fires before it even reaches <code>data_json</code>.</p> <p>The fix is to never route ephemeral and non-ephemeral values through the same expression. <code>vault_kv_secret_v2</code> has two relevant attributes: <code>data_json</code> (regular, persists to state) and <code>data_json_wo</code> (write-only, accepts ephemeral values). Use them conditionally on the same resource, keeping each attribute's expression isolated to its own value source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="kc">null</span> <span class="err">:</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="nx">data_json_wo</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>one()</code> instead of <code>[0]</code>:</strong> Both key resources use <code>count</code> — only one is active at a time. Referencing <code>resource[0]</code> when <code>count = 0</code> errors at plan time even when the ternary condition would skip that branch, because Terraform resolves resource instance addresses before evaluating expressions. The splat + <code>one()</code> pattern returns <code>null</code> for an empty collection instead of erroring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">one</span><span class="err">(</span><span class="nx">tls_private_key</span><span class="err">.</span><span class="nx">legacy</span><span class="p">[*]</span><span class="err">.</span><span class="nx">private_key_pem</span><span class="err">)</span> <span class="c1"># null when count = 0, actual value when count = 1</span> </code></pre> </div> <p>The outer ternary ensures that <code>null</code> never reaches <code>jsonencode</code>, so neither attribute ends up with an unexpected <code>{"private_key":null}</code> payload.</p> <p><strong>Rule to internalize:</strong> ephemeral values can only ever terminate at ephemeral attributes (write-only, or ephemeral such as provider blocks). Don't route them through any expression that also serves a non-write-only path.</p> <h2> The Second Problem: <code>moved</code> Blocks </h2> <p>The original module had no <code>count</code> on either resource. Adding <code>count</code> to <code>tls_private_key.legacy</code> changes its state address:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td><code>tls_private_key.legacy</code></td> <td><code>tls_private_key.legacy[0]</code></td> </tr> </tbody> </table></div> <p>Terraform treats these as different resources. Without intervention, it will <strong>destroy</strong> the old address and <strong>create</strong> a new one — generating a brand new private key in the process. For existing users, that's an unannounced key rotation.</p> <p><code>vault_kv_secret_v2.legacy</code> keeps no <code>count</code>, so its address doesn't change and needs no intervention. Only the TLS key resource needs a <code>moved</code> block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This tells Terraform to update the state address in place — no destroy, no create, no key rotation. On the next plan, existing users will see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># tls_private_key.legacy has moved to tls_private_key.legacy[0] </code></pre> </div> <p>Leave the <code>moved</code> block in for at least one release cycle so users who haven't applied yet still get a clean migration. It can be removed in a future major version once the old address no longer exists in any user's state.</p> <h2> The Complete Solution </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"use_ephemeral_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Use ephemeral key generation (key never written to state). New deployments should set true."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1"># Legacy path — key stored in state</span> <span class="nx">resource</span> <span class="s2">"tls_private_key"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="c1"># Ephemeral path — key never written to state</span> <span class="nx">ephemeral</span> <span class="s2">"tls_private_key"</span> <span class="s2">"ephemeral"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">algorithm</span> <span class="p">=</span> <span class="s2">"RSA"</span> <span class="nx">rsa_bits</span> <span class="p">=</span> <span class="mi">4096</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"vault_kv_secret_v2"</span> <span class="s2">"legacy"</span> <span class="p">{</span> <span class="nx">mount</span> <span class="p">=</span> <span class="s2">"kvv2"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mytls"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="kc">null</span> <span class="err">:</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">legacy</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="nx">data_json_wo</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_ephemeral_key</span> <span class="err">?</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">private_key</span> <span class="p">=</span> <span class="nx">one</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">ephemeral</span><span class="p">[*].</span><span class="nx">private_key_pem</span><span class="p">)</span> <span class="p">})</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <h2> Versioning Strategy </h2> <p>With this in place, the recommended release approach is:</p> <ul> <li> <strong>Current minor version</strong>: ship the toggle with <code>default = false</code>. Existing users are unaffected. New users can opt in with <code>use_ephemeral_key = true</code>.</li> <li> <strong>Next major version</strong>: flip the default to <code>true</code>. Document the change. Users upgrading from the old version need to either set <code>use_ephemeral_key = false</code> explicitly to preserve legacy behavior, or accept that a new key will be generated on their next apply.</li> </ul> <p>The <code>moved</code> blocks handle the state address migration for everyone regardless of which path they're on.</p> devops security terraform tutorial drewmullen Thu, 22 Jan 2026 22:10:57 +0000 https://forem.com/drewmullen/writing-terraform-resources-with-write-only-parameters-570j https://forem.com/drewmullen/writing-terraform-resources-with-write-only-parameters-570j <p>When building Terraform providers that handle sensitive data like passwords, API tokens, or secret keys, you'll eventually encounter the need for <strong>write-only parameters</strong>. These are values that should be sent to an API but never stored in Terraform state files.</p> <p>In this post, I'll walk through implementing write-only parameters in a Terraform provider, the challenges involved, and design options to consider.</p> <h2> What Are Write-Only Parameters? </h2> <p>Write-only parameters (introduced in Terraform 1.11) are resource arguments that:</p> <ul> <li>Are sent to the API during creation and updates</li> <li><strong>Never appear in the Terraform state file</strong></li> </ul> <p>This feature is crucial for security. Without write-only parameters, sensitive values like passwords would be stored in plaintext in your state files.</p> <p>Here's an example from my fork of the <a href="https://github.com/drewmullen/terraform-provider-aap/blob/main/internal/provider/eda_credential_resource.go" rel="noopener noreferrer">Event Drive Ansible (EDA)</a> provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-api-credential"</span> <span class="nx">credential_type_id</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># Write-only: sent to API but NEVER stored in state</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"service-account"</span> <span class="nx">api_token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">api_token</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Design Considerations </h2> <h3> The <code>_version</code> Argument </h3> <p>Since Terraform's statefile does not manage the value of the secret, Terraform requires way to know if the secret must be updated. The standard solution to detecting changes in write-only parameters is to add a companion <code>_version</code> field that users must manually increment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"manual"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">new_password</span> <span class="p">})</span> <span class="c1"># User must increment this to trigger an update</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p><strong>How updates work:</strong></p> <ol> <li>User updates the secret in <code>inputs_wo</code> </li> <li>User manually increments <code>inputs_wo_version</code> </li> <li>Terraform detects the version change and triggers an update</li> <li>The new secret is sent to the API</li> </ol> <p>This works, but it's <strong>not user-friendly</strong>. Users have to remember to:</p> <ul> <li>Increment the version every time they change secrets</li> <li>Track version numbers manually</li> </ul> <h3> Automatic Change Detection </h3> <p>Ideally, users shouldn't need to manage version numbers. They should just update the secret value and Terraform should detect the change automatically. But here's the problem:</p> <p><strong>If <code>inputs_wo</code> is write-only and not in state, how do we detect when it changes?</strong></p> <p>Lucikly, there is a solution: <strong>store a deterministic hash in private state</strong>.</p> <h4> Using Private State and Hashing </h4> <p>Terraform's plugin framework provides <a href="https://developer.hashicorp.com/terraform/plugin/framework/resources/private-state" rel="noopener noreferrer">private state</a> - a place to store provider-managed data that's:</p> <ul> <li>Stored in the state file (so it persists)</li> <li>Not visible to users (doesn't appear in <code>terraform show</code>)</li> <li>Perfect for storing things like hashes</li> </ul> <p>Here's the implementation approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Create operation</span> <span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Create</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">CreateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">CreateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="c">// Calculate SHA-256 hash of the inputs</span> <span class="n">inputsHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="c">// Store hash in private state (JSON-wrapped for validity)</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">inputsHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="c">// Set auto-managed version</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="c">// ... send to API and save state ...</span> <span class="p">}</span> <span class="k">func</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">inputs</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">sha256</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">h</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">inputs</span><span class="p">))</span> <span class="k">return</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">h</span><span class="o">.</span><span class="n">Sum</span><span class="p">(</span><span class="no">nil</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>In the Update operation, we compare hashes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Update</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">UpdateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">UpdateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span><span class="p">,</span> <span class="n">state</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">State</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">)</span> <span class="c">// Get stored hash from private state</span> <span class="n">oldHashBytes</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">req</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">GetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">)</span> <span class="k">var</span> <span class="n">hashWrapper</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Hash</span> <span class="kt">string</span> <span class="s">`json:"hash"`</span> <span class="p">}</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">oldHashBytes</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">hashWrapper</span><span class="p">)</span> <span class="n">oldHash</span> <span class="o">:=</span> <span class="n">hashWrapper</span><span class="o">.</span><span class="n">Hash</span> <span class="c">// Calculate new hash</span> <span class="n">newHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="k">if</span> <span class="n">newHash</span> <span class="o">!=</span> <span class="n">oldHash</span> <span class="p">{</span> <span class="c">// Inputs changed! Auto-increment version</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">ValueInt64</span><span class="p">()</span> <span class="o">+</span> <span class="m">1</span><span class="p">)</span> <span class="c">// Update stored hash</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">newHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// No change, keep version as-is</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="p">}</span> <span class="c">// ... send to API and save state ...</span> <span class="p">}</span> </code></pre> </div> <p>Now users can just update the secret and Terraform automatically detects it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"auto"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">new_password</span> <span class="c1"># Just change this!</span> <span class="p">})</span> <span class="c1"># inputs_wo_version auto-increments (computed field)</span> <span class="p">}</span> </code></pre> </div> <h2> Best of both worlds </h2> <p>While automatic detection is convenient, some users may not want a hash of their secrets stored in state - even if it's SHA-256 and in private state. The hash is still derived from the secret value.</p> <p><strong>Solution: Support both modes</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Create</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">CreateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">CreateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">data</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Plan</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="p">)</span> <span class="k">var</span> <span class="n">versionToSet</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64</span> <span class="k">if</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="o">||</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsUnknown</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Auto-managed mode: store hash</span> <span class="n">inputsHash</span> <span class="o">:=</span> <span class="n">calculateInputsHash</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">InputsWO</span><span class="o">.</span><span class="n">ValueString</span><span class="p">())</span> <span class="n">hashJSON</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">`{"hash":"%s"}`</span><span class="p">,</span> <span class="n">inputsHash</span><span class="p">)</span> <span class="n">resp</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">SetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">,</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">hashJSON</span><span class="p">))</span> <span class="n">versionToSet</span> <span class="o">=</span> <span class="n">tftypes</span><span class="o">.</span><span class="n">Int64Value</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Manual mode: user provided version, don't store hash</span> <span class="n">versionToSet</span> <span class="o">=</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="p">}</span> <span class="c">// ... rest of create logic ...</span> <span class="n">data</span><span class="o">.</span><span class="n">InputsWOVersion</span> <span class="o">=</span> <span class="n">versionToSet</span> <span class="p">}</span> </code></pre> </div> <p>Schema definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="s">"inputs_wo_version"</span><span class="o">:</span> <span class="n">schema</span><span class="o">.</span><span class="n">Int64Attribute</span><span class="p">{</span> <span class="n">Optional</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Computed</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">PlanModifiers</span><span class="o">:</span> <span class="p">[]</span><span class="n">planmodifier</span><span class="o">.</span><span class="n">Int64</span><span class="p">{</span> <span class="n">int64planmodifier</span><span class="o">.</span><span class="n">UseStateForUnknown</span><span class="p">(),</span> <span class="p">},</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"Version number for managing credential updates. "</span> <span class="o">+</span> <span class="s">"If not set, the provider will automatically detect changes to inputs_wo "</span> <span class="o">+</span> <span class="s">"using a SHA-256 hash stored in private state. If set manually, you "</span> <span class="o">+</span> <span class="s">"control when the credential is updated by incrementing this value yourself."</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Users can choose their preferred mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Auto-managed (default)</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"auto"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"auto-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pwd</span> <span class="p">})</span> <span class="c1"># version auto-increments</span> <span class="p">}</span> <span class="c1"># Manual control</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"manual"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"manual-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pwd</span> <span class="p">})</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># I control this</span> <span class="p">}</span> </code></pre> </div> <h2> Handling Mode Switching </h2> <p>Unfortunately, a weakness of this design is that its not possible to "switch modes". Why?</p> <ul> <li> <strong>Auto → Manual</strong>: If a user suddenly sets <code>inputs_wo_version</code>, do we remove the hash? What if they're just trying to force an update?</li> <li> <strong>Manual → Auto</strong>: We'd need to create a hash, but we can't compare it to the old inputs (they're write-only and not in state), so we can't tell if inputs changed during the transition</li> </ul> <p>Even if we could find a way to handle this, the logic in your resource becomes complex and error-prone.</p> <p><strong>Better approach: Prevent mode switching</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">EDACredentialResource</span><span class="p">)</span> <span class="n">Update</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">resource</span><span class="o">.</span><span class="n">UpdateRequest</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">resource</span><span class="o">.</span><span class="n">UpdateResponse</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Determine current mode from private state</span> <span class="n">oldHashBytes</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">req</span><span class="o">.</span><span class="n">Private</span><span class="o">.</span><span class="n">GetKey</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"inputs_wo_hash"</span><span class="p">)</span> <span class="n">wasAutoManaged</span> <span class="o">:=</span> <span class="n">oldHashBytes</span> <span class="o">!=</span> <span class="no">nil</span> <span class="c">// Determine desired mode from config</span> <span class="k">var</span> <span class="n">configModel</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">Config</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">configModel</span><span class="p">)</span> <span class="n">isNowManual</span> <span class="o">:=</span> <span class="o">!</span><span class="n">configModel</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">configModel</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsUnknown</span><span class="p">()</span> <span class="k">var</span> <span class="n">state</span> <span class="n">EDACredentialResourceModel</span> <span class="n">req</span><span class="o">.</span><span class="n">State</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">)</span> <span class="n">wasManual</span> <span class="o">:=</span> <span class="o">!</span><span class="n">wasAutoManaged</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">state</span><span class="o">.</span><span class="n">InputsWOVersion</span><span class="o">.</span><span class="n">IsNull</span><span class="p">()</span> <span class="c">// Prevent mode switching</span> <span class="k">if</span> <span class="n">wasAutoManaged</span> <span class="o">&amp;&amp;</span> <span class="n">isNowManual</span> <span class="p">{</span> <span class="n">resp</span><span class="o">.</span><span class="n">Diagnostics</span><span class="o">.</span><span class="n">AddError</span><span class="p">(</span> <span class="s">"Cannot switch from auto-managed to manual version management"</span><span class="p">,</span> <span class="s">"The inputs_wo_version field was previously auto-managed. Once auto-managed, "</span><span class="o">+</span> <span class="s">"it cannot be switched to manual mode. If you need to manually control the version, "</span><span class="o">+</span> <span class="s">"you must recreate the resource with inputs_wo_version set from the start."</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">wasManual</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">isNowManual</span> <span class="p">{</span> <span class="n">resp</span><span class="o">.</span><span class="n">Diagnostics</span><span class="o">.</span><span class="n">AddError</span><span class="p">(</span> <span class="s">"Cannot switch from manual to auto-managed version management"</span><span class="p">,</span> <span class="s">"The inputs_wo_version field was previously manually managed. Once manually managed, "</span><span class="o">+</span> <span class="s">"it cannot be switched to auto mode. If you need auto-managed version control, "</span><span class="o">+</span> <span class="s">"you must recreate the resource without setting inputs_wo_version."</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// ... rest of update logic for the chosen mode ...</span> <span class="p">}</span> </code></pre> </div> <p>This gives users a clear error message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Cannot switch from auto-managed to manual version management The inputs_wo_version field was previously auto-managed. Once auto-managed, it cannot be switched to manual mode. If you need to manually control the version, you must recreate the resource with inputs_wo_version set from the start. </code></pre> </div> <h2> Key Takeaways </h2> <p>When implementing write-only parameters in Terraform providers:</p> <ol> <li> <strong>Use private state for hashes</strong> - It's stored but not visible to users</li> <li> <strong>Support both auto and manual modes</strong> - Give users choice for their security preferences</li> </ol> <p>The complete implementation provides a great user experience while respecting privacy concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Most users: auto-managed, no version to track</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"api"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"api-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">token</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Privacy-conscious users: manual control, no hash stored</span> <span class="nx">resource</span> <span class="s2">"aap_eda_credential"</span> <span class="s2">"secure"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"secure-credential"</span> <span class="nx">inputs_wo</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">token</span> <span class="p">})</span> <span class="nx">inputs_wo_version</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>Both approaches are valid. Both are clear. And switching between them requires a resource recreation, which is easy to communicate and reason about.</p> <p><em>Have you implemented write-only parameters in your Terraform provider? What challenges did you face? Let me know in the comments!</em></p> terraform go infrastructure devops drewmullen Fri, 27 Jun 2025 14:10:43 +0000 https://forem.com/drewmullen/making-terraform-workspaces-in-the-same-project-2nhd https://forem.com/drewmullen/making-terraform-workspaces-in-the-same-project-2nhd <p>I am working on a artifact for helping TFE users provide some self service (to be unveiled soon!). One of the things I needed to do was provide a repeatable way to have a tfe workspace create workspaces in the same project. At first I thought I'd need a new data source for this since the tfe data sources require <code>organization</code> and at the very least.</p> <p>Turns out I can do it today with some magic <a href="https://developer.hashicorp.com/terraform/cloud-docs/run/run-environment" rel="noopener noreferrer">runtime env vars</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"TFC_WORKSPACE_SLUG"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"TFC_PROJECT_ID"</span> <span class="p">{}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">org_name</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span><span class="nx">var</span><span class="p">.</span><span class="nx">TFC_WORKSPACE_SLUG</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"tfe_workspace"</span> <span class="s2">"ws"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"new-ws"</span> <span class="nx">organization</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">org_name</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">TFC_PROJECT_ID</span> <span class="p">}</span> </code></pre> </div> <p>Executing that code in a TFE workspace will let you create workspaces without knowing the organization name or project! Niche but pretty nifty!</p> terraform hcptf tfc tfe drewmullen Wed, 12 Feb 2025 15:55:56 +0000 https://forem.com/drewmullen/setting-a-multi-line-variable-as-an-env-in-terraform-cloud-28b1 https://forem.com/drewmullen/setting-a-multi-line-variable-as-an-env-in-terraform-cloud-28b1 <p>In this post I will describe the exploration I did after running into a problem trying to setup temporary auth to my kubernetes cluster with Terraform. I will first describe the problem(s) and several ways to solve them.</p> <h2> Preamble </h2> <p>I auth to my homelab k8s cluster using PEM keys. Being a long time Terraform user I almost always auth to a provider using environment variables. This allows me to decouple auth from the HCL, prevent secrets from getting into the statefile, and often allows completely avoiding defining a particular provider block, relying on the <a href="https://developer.hashicorp.com/terraform/language/providers/configuration#provider-configuration-1" rel="noopener noreferrer">"empty default configuration"</a>.</p> <p>Terraform Cloud (TFC) (recently rebranded to HCP TF) allows setting variables outside of the code and in the web ui instead (WS Vars). You can set WS Vars as either type <code>terraform</code> or type <code>env</code>. Type <code>terraform</code> behaves exactly like setting <code>-var myname=drew</code>. Only problem is that type <code>env</code> vars cannot be multi-line which breaks PEM validity.</p> <h2> Solutions </h2> <h3> Ephemeral Variables! </h3> <p>Starting Terraform v1.10 HashiCorp introduced ephemeral resource types as well as <a href="https://developer.hashicorp.com/terraform/language/values/variables#exclude-values-from-state" rel="noopener noreferrer">ephemeral variables</a>. This allows me to set the PEM in a WS Var type <code>terraform</code> but not expose to the statefile. It does require me to hardcode the provider version and auth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"kube_client_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Private key data for authenticating to k8s."</span> <span class="nx">ephemeral</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">client_certificate</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kube_client_certificate</span> <span class="nx">client_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kube_client_key</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydf6ysf9larzhzbj04nd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydf6ysf9larzhzbj04nd.png" alt="Image description" width="800" height="102"></a></p> <h3> Base64 &amp; TF_VAR_ </h3> <p>You can pass the multi-line content base64 encoded then leverage terraform's <code>base64decode()</code> function in a <a href="https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_var_name" rel="noopener noreferrer">TF_VAR_</a>. This allows using an env variable but still requires hardcoding the auth. This solution doesn't make much sense for me but it is an option<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">client_key</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">kubekey</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nle8evnr7o8e8z2rw0p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5nle8evnr7o8e8z2rw0p.png" alt="Image description" width="800" height="494"></a></p> <h3> Dynamic K8s Access </h3> <p>You can setup a trust between TFC and your k8s cluster. This is my end game but on the back burner while I figure out how I plan to organize somethings</p> <p>Doc Link: <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration" rel="noopener noreferrer">https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration</a></p> <h3> E1it3 Hax </h3> <p>This last option is totally unexpected but actually quite interesting. Turns out that part of TFC's implementation is that WS Vars that are type <code>terraform</code> are also written to agents as environment variables. This means that you can create a WS Var in TFC that matches the naming convention of the expected provider env var and it will still work. This does not require you to create Terraform HCL for the vars but it does surface a warning. You can suppress the warning by providing a empty variable with the same name and NOT defining it in the provider block.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6uqpsqk00ss8ost0uzu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6uqpsqk00ss8ost0uzu.png" alt="Image description" width="800" height="83"></a></p> <p>To suppress the warning just insert a variable with the corresponding name and a default value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"KUBE_CLIENT_KEY_DATA"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> </code></pre> </div> <h2> Salutation </h2> <p>I hope this is helpful to you. Choose the solution that fits your use-case best!</p> drewmullen Tue, 21 Jan 2025 18:32:07 +0000 https://forem.com/drewmullen/deploy-cloudflare-tunnels-with-terraform-kubernetes-fh7 https://forem.com/drewmullen/deploy-cloudflare-tunnels-with-terraform-kubernetes-fh7 <p>This blog will give you a brief overview for exposing services from a private network to the public network using zero trust tool, CloudFlare Zero Trust Tunnels. They have a generous free tier that you can leverage. <strong>Please note</strong> that this post does not encompass a fully prescriptive set of security best practices, merely it gets the setup working. Getting this right took me longer than I expected. Hopefully its helpful to you.</p> <p>Due to to my homelab setup, namespaces are created by ArgoCD which kicks off ahead of terraform apply. You may need to make a namespace <code>cloudflared</code>.</p> <h3> Access </h3> <p>Based on the guide from <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/" rel="noopener noreferrer">cloudflares docs</a> you'll need to create a API token:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xjrky3tav51clwpw1zy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xjrky3tav51clwpw1zy.png" alt="Image description" width="749" height="273"></a></p> <p><em>Note: When creating your api token know that "Cloudflare Tunnel" <strong>is not the same thing</strong> as Zero Trust in their permissions. This was confusing to me because tunnels are now named "zero trust tunnels". For the sake of permissions make sure you provider "Cloudflare Tunnel: Edit".</em></p> <h3> Terraform </h3> <p>The following code deploys a single tunnel and sets up DNS records for all sites indicated in "services". TLS verify is disabled below so update it if you want.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"cloudflare_zone_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Zone ID for your domain"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cloudflare_account_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Account ID for your Cloudflare account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cloudflare_email"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email address for your Cloudflare account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"services"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Values for the services to be exposed via Cloudflare Tunnel"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">hostname</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># public domain name. ex: "service.example.com"</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># private service endpoint. ex: service.apps.internaldomain.com</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cf_tunnel_secret</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"AccountTag"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span><span class="k">}</span><span class="s2">"</span><span class="p">,</span> <span class="s2">"TunnelSecret"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">base64sha256</span><span class="p">(</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">tunnel_secret</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span><span class="k">}</span><span class="s2">"</span><span class="p">,</span> <span class="s2">"TunnelID"</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="nx">ingress_rules</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">service</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">services</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">hostname</span> <span class="p">=</span> <span class="nx">service</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">origin_request</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">no_tls_verify</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">service</span><span class="p">.</span><span class="nx">service</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"random_password"</span> <span class="s2">"tunnel_secret"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">64</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_zero_trust_tunnel_cloudflared"</span> <span class="s2">"homelab"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"homelab-tunnel"</span> <span class="nx">config_src</span> <span class="p">=</span> <span class="s2">"cloudflare"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span> <span class="nx">tunnel_secret</span> <span class="p">=</span> <span class="nx">base64sha256</span><span class="p">(</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">tunnel_secret</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_zero_trust_tunnel_cloudflared_config"</span> <span class="s2">"homelab"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_account_id</span> <span class="nx">tunnel_id</span> <span class="p">=</span> <span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">ingress_rules</span><span class="p">,</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">origin_request</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">connect_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">keep_alive_connections</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">keep_alive_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">tcp_keep_alive</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">tls_timeout</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"http_status:503"</span> <span class="p">},</span> <span class="p">])</span> <span class="nx">warp_routing</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"cloudflare_credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tunnel-credentials"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"cloudflared"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"credentials.json"</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">cf_tunnel_secret</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_dns_record"</span> <span class="s2">"vault_homelab_tunnel"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">services</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloudflare_zone_id</span> <span class="nx">comment</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2"> tunnel record"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">"."</span><span class="p">,</span> <span class="p">[</span><span class="nx">cloudflare_zero_trust_tunnel_cloudflared</span><span class="p">.</span><span class="nx">homelab</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="s2">"cfargotunnel.com"</span><span class="p">])</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">proxied</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="p">}</span> </code></pre> </div> <h3> Kubernetes manifest: </h3> <p>In my setup, k8s resources are mostly deployed via ArgoCD. Below, this manifest deploys cloudflared pod and connects it to the tunnel <code>homelab-tunnel</code> from your account. It authenticates via the public cloudflare API using credentials from a kubernetes secret <code>tunnel-credentials</code> which is created by Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">replicas</span><span class="pi">:</span> <span class="s">1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflared</span> <span class="na">image</span><span class="pi">:</span> <span class="s">cloudflare/cloudflared:latest</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">tunnel</span> <span class="pi">-</span> <span class="s">--credentials-file</span> <span class="pi">-</span> <span class="s">/etc/cloudflared/creds/credentials.json</span> <span class="pi">-</span> <span class="s">--protocol</span> <span class="c1"># https://github.com/cloudflare/cloudflared/issues/1176#issuecomment-2404546711</span> <span class="pi">-</span> <span class="s">http2</span> <span class="c1"># didnt seem to need the sysctl changes</span> <span class="pi">-</span> <span class="s">--metrics</span> <span class="pi">-</span> <span class="s">0.0.0.0:2000</span> <span class="pi">-</span> <span class="s">run</span> <span class="pi">-</span> <span class="s">homelab-tunnel</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">1</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">creds</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/cloudflared/creds</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">creds</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">tunnel-credentials</span> </code></pre> </div> <p><em>Disclaimer: The following code stores the secret to joining your tunnel in your terraform statefile in 2 locations <code>random_password.tunnel_secret</code> and <code>cloudflare_zero_trust_tunnel_cloudflared.homelab</code>. With 1.10 we have ephemeral resources which will remove that but the random provider <a href="https://github.com/hashicorp/terraform-provider-random/pull/625" rel="noopener noreferrer">doesnt have it yet</a>. Hopefully it will be <a href="https://github.com/cloudflare/terraform-provider-cloudflare/issues/4921" rel="noopener noreferrer">removed from tunnel resource once available</a>.</em></p> cloudflare tunnels terraform k8s drewmullen Mon, 02 Dec 2024 20:21:58 +0000 https://forem.com/drewmullen/terraform-state-with-native-s3-locking-1fck https://forem.com/drewmullen/terraform-state-with-native-s3-locking-1fck <p>Terraform has many popular mechanisms for storing its state file. While I have grown quite fond of <a href="https://developer.hashicorp.com/terraform/tutorials/cloud-get-started/cloud-sign-up" rel="noopener noreferrer">HCP Terraform</a>, there are occasional scenarios where I want to use <a href="https://developer.hashicorp.com/terraform/language/backend/s3" rel="noopener noreferrer">S3 backend</a> to hold my Terraform state files. </p> <p>Best practice when sharing a state file among multiple parties is to have a locking mechanism, to avoid concurrent writes from corrupting the Terraform state. This prevents 2 parties from clobbering each other if they happen to be working on the same infrastructure at the same time.</p> <p>Starting in <a href="https://github.com/hashicorp/terraform/releases/tag/v1.10.0" rel="noopener noreferrer">Terraform v1.10</a> the S3 backend features S3 native state locking. Prior to this feature state file lock setups required access to a DynamoDB table - which can be completely foregone now!</p> <h2> How? </h2> <p>Lets start by creating a S3 bucket that has the required settings:</p> <p><em>Note: It is common to create the S3 state file bucket outside of Terraform. However, you <strong>can</strong> create the bucket with Terraform, its just generally not advised. Example shell commands below</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ BUCKET_NAME</span><span class="o">=</span><span class="s2">"&lt;your bucket name&gt;"</span> <span class="nv">$ REGION</span><span class="o">=</span><span class="s2">"us-east-1"</span> <span class="nv">$ </span>aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="nv">$ </span>aws s3api put-bucket-versioning <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled </code></pre> </div> <h2> Using the bucket </h2> <p>Create a new <code>backend.tf</code> file (or add this block to an existing .tf file). Make sure you fill in the bucket name!</p> <p>Below we use the parameter <code>use_lockfile</code> which is an experimental feature that enforces using the s3 buckets lock file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="err">&lt;</span><span class="nx">bucket</span> <span class="nx">name</span><span class="err">&gt;</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"backend/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">use_lockfile</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Wrapping up </h2> <p>For a deep dive on this feature I recommend you read through the <a href="https://github.com/hashicorp/terraform/pull/35661" rel="noopener noreferrer">initial PR</a> by <a class="mentioned-user" href="https://dev.to/bschaatsbergen">@bschaatsbergen</a> who wrote this great feature</p> <h2> Optional: Create bucket using Terraform </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bucket_name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"backend"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">backend</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Edited 12/19 to remove ObjectLock which is not required. Kudos to <a class="mentioned-user" href="https://dev.to/philippe_robitaille_f3908">@philippe_robitaille_f3908</a></strong></p> terraform aws s3lockfile drewmullen Thu, 16 Nov 2023 15:59:07 +0000 https://forem.com/drewmullen/aws-creds-in-the-cli-via-sso-122i https://forem.com/drewmullen/aws-creds-in-the-cli-via-sso-122i <h2> Problem </h2> <p>Do you often need credentials in your AWS CLI? </p> <p>Are you overly familiar with this screen (AWS SSO start page)?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllw0whs9617785ohgrqa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllw0whs9617785ohgrqa.png" alt="Image description" width="560" height="572"></a></p> <p>If you do not have AWS SSO setup, check out the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html" rel="noopener noreferrer">AWS documentation</a> then come back to this post!</p> <h2> A better credential experience </h2> <p>Yesterday I learned from my colleague <a class="mentioned-user" href="https://dev.to/danquack">@danquack</a> a fun feature built into the AWS CLI. If you already have AWS SSO configured for your Org and are using the GUI to get credentials, follow this post and you can expect an improved AWS CLI credential management experience. </p> <p>My new, simpler process to get temporary creds from SSO:</p> <h4> Specify which profile I want and login: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>&lt;<span class="o">&gt;</span> <span class="nv">$ </span>aws sso login </code></pre> </div> <h4> Confirm the authorization request in my browser: </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8kqsydxrgml5jw5km8e5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8kqsydxrgml5jw5km8e5.png" alt="Image description" width="800" height="1122"></a></p> <p>Boom! Now my CLI has usable temporary credentials!</p> <h2> Setup </h2> <p>This setup is honestly extremely simple. AWS provides a guided CLI wizard and ill show the examples below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws configure sso SSO session name <span class="o">(</span>Recommended<span class="o">)</span>: WARNING: Configuring using legacy format <span class="o">(</span>e.g. without an SSO session<span class="o">)</span><span class="nb">.</span> Consider re-running <span class="s2">"configure sso"</span> <span class="nb">command </span>and providing a session name. SSO start URL <span class="o">[</span>https://example.awsapps.com/start#/]: SSO region <span class="o">[</span>us-east-1]: There are 2 AWS accounts available to you. <span class="o">&gt;</span> DeveloperAccount, developer-account-admin@example.com <span class="o">(</span>123456789011<span class="o">)</span> ProductionAccount, production-account-admin@example.com <span class="o">(</span>123456789022<span class="o">)</span> Using the account ID 123456789011 The only role available to you is: AdministratorAccess Using the role name <span class="s2">"AdministratorAccess"</span> CLI default client Region <span class="o">[</span>us-east-1]: us-east-2 CLI default output format <span class="o">[</span>None]: CLI profile name <span class="o">[</span>AdministratorAccess-&lt;<span class="o">&gt;]</span>: providerdev </code></pre> </div> <ul> <li>There are 2 questions regarding region. The first is the region SSO is setup in. The second is the default region you want your CLI setup to use.</li> <li>Setting a profile name <code>providerdev</code> is now the name ill set for <code>export AWS_PROFILE=providerdev</code> </li> </ul> <p>Once that is complete you can see the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> <span class="nt">-p</span> ~/.aws/config <span class="o">[</span>profile providerdev] sso_start_url <span class="o">=</span> https://example.awsapps.com/start#/ sso_region <span class="o">=</span> us-east-1 sso_account_id <span class="o">=</span> 123456789011 sso_role_name <span class="o">=</span> AdministratorAccess region <span class="o">=</span> us-east-2 </code></pre> </div> <h2> Summary </h2> <p>AWS SSO is a great service for providing temporary credentials to known identities in your organization. The new command <code>aws sso login</code> will help you and your engineers get credentials fast, easy, and securely!</p> aws sso credentials drewmullen Thu, 12 Jan 2023 14:06:56 +0000 https://forem.com/drewmullen/implement-rollback-with-terraform-5f7d https://forem.com/drewmullen/implement-rollback-with-terraform-5f7d <p>There's no magic here, friends.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ terraform apply # fails $ git checkout HEAD~ # checkout the prior commit $ terraform apply </code></pre> </div> <p>You can checkout a specific commit sha with:<br> <code>git checkout &lt;commit sha&gt;</code></p> <p>I don't recommend using this with any stateful resource types... RDS, EKS, etc. </p> terraform rollback cloudformation drewmullen Fri, 04 Mar 2022 18:57:38 +0000 https://forem.com/drewmullen/terraform-variable-validation-with-samples-1ank https://forem.com/drewmullen/terraform-variable-validation-with-samples-1ank <p>Terraform allows you to validate variable input in using <a href="https://www.terraform.io/language/values/variables#custom-validation-rules" rel="noopener noreferrer">validation blocks</a> using custom <code>condition</code> and yielding a custom <code>error_message</code>. Below are some examples:</p> <p><em><strong>Note:</strong> Please share your common validation rules you've written and I'll update here</em></p> <p><strong>Update</strong>: Please check out this awesome project by <a class="mentioned-user" href="https://dev.to/bschaatsbergen">@bschaatsbergen</a> that provides built in functions for assertions: <a href="https://github.com/bschaatsbergen/terraform-provider-assert" rel="noopener noreferrer">https://github.com/bschaatsbergen/terraform-provider-assert</a></p> <h2> Strings </h2> <h3> String may not contain character </h3> <p>Scenario: String may not contain a <code>/</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_may_not_contain"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Value cannot contain a </span><span class="se">\"</span><span class="s2">/</span><span class="se">\"</span><span class="s2">."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="err">!</span><span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_may_not_contain</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> String with valid options </h3> <p>Scenario: Here we have a string and we only allow to values "approved" or "disapproved". I show 2 examples of the same check using different methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_only_valid_options"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"approved"</span> <span class="c1"># using regex</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^(approved|disapproved)$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_only_valid_options</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid input, options: </span><span class="se">\"</span><span class="s2">approved</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">disapproved</span><span class="se">\"</span><span class="s2">."</span> <span class="p">}</span> <span class="c1"># using contains()</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"approved"</span><span class="p">,</span> <span class="s2">"disapproved"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_only_valid_options</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid input, options: </span><span class="se">\"</span><span class="s2">approved</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">disapproved</span><span class="se">\"</span><span class="s2">."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Valid AWS Region Name </h3> <p>Scenario: string must be like AWS region<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_like_aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"[a-z][a-z]-[a-z]+-[1-9]"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_like_aws_region</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid AWS Region names."</span> <span class="p">}</span> </code></pre> </div> <h3> Valid IAM Role Name </h3> <p>Scenario: Your string must be a valid IAM role name<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_valid_iam_role_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"MyCoolRole"</span> <span class="c1"># arn example: "arn:aws:iam::123456789012:role/MyCoolRole"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-zA-Z][a-zA-Z</span><span class="err">\\</span><span class="s2">-</span><span class="err">\\</span><span class="s2">_0-9]{1,64}$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">string_valid_iam_role_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"IAM role name must start with letter, only contain letters, numbers, dashes, or underscores and must be between 1 and 64 characters."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Valid IPv4 CIDR </h3> <p>Scenario: Your string input needs to look like a IPv4 CIDR. Thank you <a class="mentioned-user" href="https://dev.to/entscheidungsproblem">@entscheidungsproblem</a> for <a href="https://dev.to/entscheidungsproblem/comment/21moa">reporting</a> and providing a fix for <code>/32</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"string_like_valid_ipv4_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">string_like_valid_ipv4_cidr</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid IPv4 CIDR."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Semantic Version </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"semv1"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.57.123"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be valid semantic version."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)</span><span class="err">\\</span><span class="s2">.(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)</span><span class="err">\\</span><span class="s2">.(0|[1-9]</span><span class="err">\\</span><span class="s2">d*)(?:-((?:0|[1-9]</span><span class="err">\\</span><span class="s2">d*|</span><span class="err">\\</span><span class="s2">d*[a-zA-Z-][0-9a-zA-Z-]*)(?:</span><span class="err">\\</span><span class="s2">.(?:0|[1-9]</span><span class="err">\\</span><span class="s2">d*|</span><span class="err">\\</span><span class="s2">d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:</span><span class="err">\\</span><span class="s2">+([0-9a-zA-Z-]+(?:</span><span class="err">\\</span><span class="s2">.[0-9a-zA-Z-]+)*))?$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">semv1</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Maps </h2> <h3> Map with optional conflicting keys </h3> <p>Scenario: You have a map variable and 2 keys conflict, in this case, you can only set either <code>cidr</code> or <code>netmask</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"only_one_optional_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">cidrs</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">))</span> <span class="nx">netmask</span> <span class="p">=</span> <span class="nx">optional</span><span class="p">(</span><span class="nx">number</span><span class="p">)</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test"</span> <span class="p">}</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Can only specify either </span><span class="se">\"</span><span class="s2">cidrs</span><span class="se">\"</span><span class="s2">, or </span><span class="se">\"</span><span class="s2">netmask</span><span class="se">\"</span><span class="s2">."</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">setintersection</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">only_one_optional_key</span><span class="p">),</span> <span class="p">[</span><span class="s2">"cidrs"</span><span class="p">,</span> <span class="s2">"netmask"</span><span class="p">]))</span> <span class="p">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Numbers </h3> <h3> Number within a range </h3> <p>Scenario: number must be between 1-16. <br> Thanks: <a class="mentioned-user" href="https://dev.to/tlindsay42">@tlindsay42</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"num_in_range"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="err">&gt;</span><span class="p">=</span> <span class="mi">1</span> <span class="err">&amp;&amp;</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="err">&lt;</span><span class="p">=</span> <span class="mi">16</span> <span class="err">&amp;&amp;</span> <span class="nx">floor</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span><span class="p">)</span> <span class="p">==</span> <span class="nx">var</span><span class="p">.</span><span class="nx">num_in_range</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Accepted values: 1-16."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you liked this post, please like. If you think it would be helpful in the future as a reference, please bookmark!</p> terraform linting drewmullen Wed, 02 Feb 2022 20:03:11 +0000 https://forem.com/drewmullen/terraform-boilerplate-common-awsami-searches-5hcg https://forem.com/drewmullen/terraform-boilerplate-common-awsami-searches-5hcg <p>Searching for AMI's is not fun. Here are some you might be searching for:</p> <h3> Amazon Linux 2 (latest): </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"amazon_linux_2"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amzn2-ami-hvm-*-x86_64-ebs"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Graviton 2 </h3> <h3> RHEL 7 (latest) </h3> <p>Thanks: <a class="mentioned-user" href="https://dev.to/wsarwariamzn">@wsarwariamzn</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"rhel_7"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"309956199498"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"RHEL-7.9_HVM_GA*-x86_64-0-Hourly2-GP2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Please send me more and I'll include them in this post!</p> terraform boilerplate aws drewmullen Wed, 29 Dec 2021 19:31:07 +0000 https://forem.com/drewmullen/terraform-provider-block-for-every-aws-region-1dkp https://forem.com/drewmullen/terraform-provider-block-for-every-aws-region-1dkp <p>Boilerplate HCL for your module writing needs! Did I miss any?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{}</span> <span class="c1">#### NORTHERN VIRGINIA : us-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1">#### OHIO : us-east-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-east-2"</span> <span class="p">}</span> <span class="c1">#### NORTHERN CALIFORNIA : us-west-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-west-1"</span> <span class="p">}</span> <span class="c1">#### OREGON : us-west-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="p">}</span> <span class="c1">#### CANADA : ca-central-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ca-central-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ca-central-1"</span> <span class="p">}</span> <span class="c1">#### MUMBAI : ap-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="p">}</span> <span class="c1">//#### OSAKA_LOCAL : ap-northeast-3</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-3"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-3"</span> <span class="p">}</span> <span class="c1">#### SEOUL : ap-northeast-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-2"</span> <span class="p">}</span> <span class="c1">#### SINGAPORE : ap-southeast-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-southeast-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-southeast-1"</span> <span class="p">}</span> <span class="c1">#### SYDNEY : ap-southeast-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-southeast-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-southeast-2"</span> <span class="p">}</span> <span class="c1">#### TOKYO : ap-northeast-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-northeast-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-northeast-1"</span> <span class="p">}</span> <span class="c1">#### FRANKFHURT : eu-central-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> <span class="c1">#### IRELAND : eu-west-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="c1">#### LONDON : eu-west-2</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-2"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-2"</span> <span class="p">}</span> <span class="c1">#### MILAN : eu-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-south-1"</span> <span class="p">}</span> <span class="c1">#### PARIS : eu-west-3</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-3"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-west-3"</span> <span class="p">}</span> <span class="c1">#### STOCKHOLM : eu-north-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="p">}</span> <span class="c1">#### SAO PAULO : sa-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"sa-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"sa-east-1"</span> <span class="p">}</span> </code></pre> </div> <p>Including these but I had trouble if I included<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">//#### SOUTH AFRICA : af-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"af-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"af-south-1"</span> <span class="p">}</span> <span class="c1">//#### HONG KONG : ap-east-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ap-east-1"</span> <span class="p">}</span> <span class="c1">//#### MIDDLE EAST: me-south-1</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"me-south-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"me-south-1"</span> <span class="p">}</span> </code></pre> </div>