search

hashicorp / terraform-provider-terraform

Terraform terraform provider
https://www.terraform.io/docs/providers/terraform/
Mozilla Public License 2.0
23 stars 22 forks source link

Adding a defaults section to terraform_remote_state #11

Closed kavehmz closed 6 years ago

kavehmz commented 6 years ago

Adding a defaults section to terraform_remote_state can clean up the process we have in our team.

We are using remote state-file. With that we can simply clone our terraform repo and work on it. Except that we need to distribute the secret variables we use somehow.

But actually almost all secrets which we need is stored in state file and we all have access to state file. We just need to reuse those if we are working on a non-empty state. We dont need to resupply all our secret again.

One easy way we found is by using data.terraform_remote_state.

data "terraform_remote_state" "k8s" {
  backend = "local"

  config {
    path = "terraform.tfstate"
  }
}

variable "my_secret" {
  default = ""
}

resource "local_file" "my_dummy_secret_consumer" {
  content  = "${var.my_secret != "" ? var.my_secret : data.terraform_remote_state.k8s.my_secret}"
  filename = "/tmp/this_is_just_to_save_someting"
}
output "my_secret" {
  value = "${var.my_secret != "" ? var.my_secret : data.terraform_remote_state.k8s.my_secret}"
}

The above code actually works for us right now. We don't need to store the secrets locally or distribute them in our team.

But only if state-file has the output already (a chicken and egg situation) so we do some dirty change when we add a new secret or if state is empty.

I have the following change compiled and with that we can have a very clean setup (by adding a defaults section).

data "terraform_remote_state" "k8s" {
  backend = "local"

  config {
    path = "terraform.tfstate"
  }

  defaults {
    my_secret = "if_var_not_set_and_state_is_empty"
  }
}

variable "my_secret" {
  default = ""
}

resource "local_file" "my_dummy_secret_consumer" {
  content  = "${var.my_secret != "" ? var.my_secret : data.terraform_remote_state.k8s.my_secret}"
  filename = "/tmp/this_is_just_to_save_someting"
}
output "my_secret" {
  value = "${var.my_secret != "" ? var.my_secret : data.terraform_remote_state.k8s.my_secret}"
}

This works perfectly, our setup won't break anymore if state is empty. and we don't need to spend time on any other solutions. Terraform in a sufficient solution by itself this way.

Adding this change will help me greatly and I am hoping that this method might be useful for others too.

apparentlymart commented 6 years ago

Hi @kavehmz! Thanks for working on this.

It looks like this serves as essentially a workaround for hashicorp/hil#50. We do intend to fix that, but since it's not going to be a quick fix (requires redesigning the HIL evaluator) I like the idea of making this change to make things easier to use in the short term.

In the long run what you originally tried to do should work, but this defaults mechanism seems pretty useful in general (beyond working around this bug) so no harm in keeping it around after the root bug is fixed.

Thanks again!