search

garden-io / garden

Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching
https://garden.io
Mozilla Public License 2.0
3.32k stars 268 forks source link

[FEATURE]: Configure terraform backend options in terraform-plugin provider configuration #3570

Open stefreak opened 1 year ago

stefreak commented 1 year ago

Feature Request

Ability to configure the terraform backend options in the terraform plugin's provider configuration block.

This is especially helpful if the terraform backend requires secrets, e.g.:

providers:
  - name: terraform
    backend-config:
      some_token: "${secrets.MY_SECRET}"

Background / Motivation

Currently the terraform provider is hard to use in case a partial or dynamic backend config is needed. User Examples:

What should the user be able to do?

Configure parts of the terraform backend config in the terraform plugin provider config, e.g.

providers:
  - name: terraform
    backend-config:
      some_token: "${secrets.MY_SECRET}"

or, another example that changes the location of the terraform state file depending on the garden environment name:

providers:
  - name: terraform
    # assuming a partial terraform backend.tf with this content:
    # terraform { backend "s3" {} }
    backend-config:
      key: "terraform-states/${environment.name}.tfstate"
      bucket: bucketname
      dynamodb_table: tablename
      region: eu-central-1

More on partial backend configuration and the -backend-config terraform option can be found here: https://developer.hashicorp.com/terraform/language/settings/backends/configuration#partial-configuration

Why do they want to do this? What problem does it solve?

Makes it easier to use Garden with terraform in case a dynamic backend configuration is needed, e.g. see the following use cases:

Suggested Implementation(s)

Garden would need to pass the -backend-config parameter for this to work, as described here: https://developer.hashicorp.com/terraform/language/settings/backends/configuration#partial-configuration

How important is this feature for you/your team?

🌵 Not having this feature makes using Garden painful

stefreak commented 1 year ago

Workaround until this feature is implemented:

At the moment, the only way to pass Garden secrets to the terraform backend configuration is using the Garden exec provider. Here’s an example for that: providers:

  - name: exec
    initScript: |
      sed "s/SOME_SECRET/${secrets.SOME_SECRET}/g" terraform/backend.tf.tpl > terraform/backend.tf
  - name: terraform
    version: "<tf-version>"
    initRoot: ./terraform
    dependencies:
      - exec

Sed will copy the contents of backend.tf.tpl into the file terraform/backend.tf, replacing the string SOME_SECRET with the configured garden Cloud secret.

This assumes that you have a terraform/backend.tf.tpl with contents similar to this:

terraform {
  backend "backend-provider" {
    config-option = "value"
    some_secret = "SOME_SECRET"
  }
}

When doing this, you should also create a .gitignore file in the terraform directory to prevent accidental commit of the secret to the source repository, which contains this line:

backend.tf
stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it hasn't had any activity in 90 days. It will be closed in 14 days if no further activity occurs (e.g. changing labels, comments, commits, etc.). Please feel free to tag a maintainer and ask them to remove the label if you think it doesn't apply. Thank you for submitting this issue and helping make Garden a better product!