Page MenuHomePhabricator
Create Task
Maniphest T321250

Extend TF (terraform) provider to allow configuration via environment variables
Open, LowPublic
Actions

Description

Background

With the main OpenStack provider, it's possible to define it something like this:

terraform {
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
      version = "~> 1.48.0"
    }
  }

  required_version = ">= 1.3.0"
}

provider "openstack" {
  tenant_name                   = var.project
}

The remaining settings can be imported via environment variables, simply by downloading the OpenRC file for the application credentials from Horizon, and sourcing it into your environment prior to running Terraform. That OpenRC file looks something like this:

#!/usr/bin/env bash

export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://openstack.eqiad1.wikimediacloud.org:25000/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="eqiad1-r"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=[snip]
export OS_APPLICATION_CREDENTIAL_SECRET=[snip]

Since Terraform variables which are marked as sensitive=true only protects them from being displayed accidentally. While I'd hope that variables defining provider credentials aren't re-used elsewhere in a Terraform configuration and thus won't find their way into state, it's not guaranteed.

By forcing the credentials to be loaded dynamically, it avoids the issue of either forcing the user to specify the credentials at runtime (via -var, -var-file, or being prompted), or storing them in a *.tfvars file (or worse, in the configuration itself) which might get accidentally committed to source control. Using the OpenRC file also makes it much easier to set short-lived credentials which can be easily rotated by simply downloading and sourcing a new file into their shell.

The ask

Please can the Wikimedia CloudVPS provider *also* read from the OS_* environment variables if the values are not defined directly in Terraform configuration, in the same way that the existing OpenStack provider can?

Related Objects
Search...

Event Timeline

stwalkerster created this task.Oct 20 2022, 12:19 AM
nskaggs renamed this task from Extend TF provider to allow configuration via environment variables to Extend TF (terraform) provider to allow configuration via environment variables.Oct 28 2022, 3:16 PM
taavi removed taavi as the assignee of this task.Oct 28 2022, 5:29 PM
taavi triaged this task as Low priority.

This is a reasonable feature request, although the new Terraform provider SDK (terraform-plugin-framework) that terraform-cloudvps uses doesn't seem to have an easy way to do it yet.

fnegri added a subscriber: fnegri.Dec 23 2022, 8:55 AM
bking added a subscriber: bking.Jan 12 2023, 4:16 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:29 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
fgiunchedi added a subscriber: fgiunchedi.Mar 1 2023, 9:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL