search

digitalocean / terraform-provider-digitalocean

Terraform DigitalOcean provider
https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs
Mozilla Public License 2.0
510 stars 278 forks source link

Ideal way to attach resources to projects when working with modules #485

Open jonathanvansina opened 4 years ago

jonathanvansina commented 4 years ago

We are using Terraform to manage all of our DigitalOcean infrastructure, with different environments (prod, staging, dev), that we separate by projects. Terraform is designed with multiple child modules (application, ci, vpc..). As everything is working fine, I'm still looking for the answer on an architectural question.

What's the most ideal scenario to attach resources (droplets, spaces, load balancers, domains..) to a DigitalOcean project in Terraform? First of all, the most ideal way for us would be a separate API key per project, but unfortunately this is not possible with DigitalOcean. We are working with a root module and multiple child modules (application, ci, vpc...) to provision our infrastructure.

I'm considering multiple possibilities:

  1. The first possibility is to make the digitalocean_project resource in the root module . Each child module has an output (urn) of all the resources that needs to be attached to a project. In the root module , each resource is attached to the specified project with the digitalocean_project_resources resource.

    By this way the child modules "are not aware' of the fact that the resources are belonging to a project.

  2. Second possibility is also to create digitalocean_project resource in the root module. Each child module has an input (id) of the create project in the root module. In the child modules (application, ci, vpc...), each resource is attached to a project with digitalocean_project_resources and uses the id of the project as input.

    By this way the child modules "are aware" of the fact that the resources are belonging to a project.

  3. A third and last possibility is to create a module: "project", which will create the project and attach all of the resources (urn as a input of the module), to the created project.

  4. Fourth and last possibility that I have in mind is to create a separate DigitalOcean account. This is only a last resort, as this will make things more complex.

Terraform Version

terraform -v
Terraform v0.13.0
+ provider registry.terraform.io/digitalocean/digitalocean v1.22.1

Affected Resource(s)

Please list the resources as a list, for example:

Expected Behavior

Easier way to attach resources (droplets, spaces, load balancers, domains) to a project (ex. production).

Actual Behavior

Complex way to attach resources to a project, one API key with all rights on the DigitalOcean account.

kaybeudeker commented 1 year ago

This is exactly what we are wondering, what is the best option? A separate API Token for each project would also be great!