Page MenuHomePhabricator

Extend TF (terraform) provider to allow configuration via environment variables
Open, LowPublic

Description

Background

With the main OpenStack provider, it's possible to define it something like this:

terraform {
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "~> 1.48.0"
    }
  }

  required_version = ">= 1.3.0"
}

provider "openstack" {
  tenant_name                   = var.project
}

The remaining settings can be imported via environment variables, simply by downloading the OpenRC file for the application credentials from Horizon, and sourcing it into your environment prior to running Terraform. That OpenRC file looks something like this:

#!/usr/bin/env bash

export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://openstack.eqiad1.wikimediacloud.org:25000/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="eqiad1-r"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=[snip]
export OS_APPLICATION_CREDENTIAL_SECRET=[snip]

Since Terraform variables which are marked as sensitive=true only protects them from being displayed accidentally. While I'd hope that variables defining provider credentials aren't re-used elsewhere in a Terraform configuration and thus won't find their way into state, it's not guaranteed.

By forcing the credentials to be loaded dynamically, it avoids the issue of either forcing the user to specify the credentials at runtime (via -var, -var-file, or being prompted), or storing them in a *.tfvars file (or worse, in the configuration itself) which might get accidentally committed to source control. Using the OpenRC file also makes it much easier to set short-lived credentials which can be easily rotated by simply downloading and sourcing a new file into their shell.

The ask

Please can the Wikimedia CloudVPS provider *also* read from the OS_* environment variables if the values are not defined directly in Terraform configuration, in the same way that the existing OpenStack provider can?

Event Timeline

nskaggs renamed this task from Extend TF provider to allow configuration via environment variables to Extend TF (terraform) provider to allow configuration via environment variables.Oct 28 2022, 3:16 PM
taavi removed taavi as the assignee of this task.Oct 28 2022, 5:29 PM
taavi triaged this task as Low priority.

This is a reasonable feature request, although the new Terraform provider SDK (terraform-plugin-framework) that terraform-cloudvps uses doesn't seem to have an easy way to do it yet.