Comments (7)
You can set sensitive environment on the provider for this very reason. Also If you had an update block set in life cycle commands then it wouldn't force new the resource for environment variable changes
from terraform-provider-shell.
The part of resource configuration must be sensitive, so I used sensitive_environment
to pass values to the script and hide in terraform plan
output and pipeline logs. It's resource-related data, not global, and the provider environment can't be used for it.
Here is my usecase of using shell provider that expects different key-value input for different resources, and some of input values must be sensitive.
https://github.com/extenda/tf-module-kafka/tree/master/kafka-connect-ccloud
from terraform-provider-shell.
I'm just not sure why you can't declare sensitive variables in provider block. Its there for exactly situations like this. You can have multiple shell provider declarations if you don't want to share it globally across all shell resources. Also you can still use update method to ignore changes if the username and password change
from terraform-provider-shell.
I'd really move username and password parameters to provider block, as they are used only during deployment. But other sensitive parameters (login/password, token, service account, and many others, depending on connection type) are part of the final resource configuration, must be tracked for change and updated with running update
script.
from terraform-provider-shell.
If its an input parameter that must be tracked then you are right, using a sensitive_environment on the resource is appropriate. If one of these inputs changes then it will trigger an update on the resource, as long as an update script is supplied. You can compare the previous state of the resource, which is passed as stdin with the current configuration input and decide what you want your update script to do. It doesn't have to destroy the resource and recreate it. Does this not solve your problem? Sorry if I am not understanding exactly.
from terraform-provider-shell.
I'm sorry, I needed to show an example first before discussion
terraform {
required_providers {
shell = {
source = "scottwinkler/shell"
version = "1.7.3"
}
}
}
resource "shell_script" "weather" {
lifecycle_commands {
create = <<-EOF
echo "{\"secret\": \"$secret\", \"London\": \"$(curl wttr.in/London?format="%l:+%c+%t")\"}" > state.json
echo 'resources is created' >> log.txt
cat state.json
EOF
delete = <<-EOF
rm state.json
echo 'resource is destroyed' >> log.txt
EOF
read = "cat state.json"
update = <<-EOF
echo "{\"secret\": \"$secret\", \"London\": \"$(curl wttr.in/London?format="%l:+%c+%t")\"}" > state.json
echo 'resources is gracefully updated' >> log.txt
cat state.json
EOF
}
sensitive_environment = {
"secret" = "value1"
}
}
If run terraform apply
, then change secret
value to value2
and run terraform apply
again I expect the log.txt to have:
resources is created
resources is gracefully updated
But receive
resources is created
resource is destroyed
resources is created
If its an input parameter that must be tracked then you are right, using a sensitive_environment on the resource is appropriate. If one of these inputs changes then it will trigger an update on the resource, as long as an update script is supplied.
That is expected to me too, but in the example above it trigger destroy and create if secret
value changed
from terraform-provider-shell.
Oh, my bad, I used the old version, In the recent version it works as expected.
from terraform-provider-shell.
Related Issues (20)
- JSON lists are not parsed as valid output HOT 1
- Facing issues when I use this provider to test locally in my MacBook Air HOT 1
- Error: changes to `lifecycle_commands` and/or `interpreter` should not be follwed by changes to other arguments HOT 4
- It might not even be from this module, I'm trying to follow odd variable behavior.
- Question: What's the best way to force terraform plan to fail on read error?
- Support list/map type for environment argument HOT 2
- Cannot `terraform import` resources HOT 2
- Action should be ActionUpdate in update
- read_error value initializes to null and becomes "" after read causing state change on apply HOT 2
- In windows not working properly
- Permission denied. Error occured during shell execution HOT 1
- There's no option for marking output as sensitive HOT 2
- Provider doesn't perform "update" when i'm changing the update script.
- Update semantics - is there a way to to replay replacement details?
- Not supporting cygwin or mingw-w64
- Can `data` sources have `environment` variables also?
- Add support for inheriting environment variables HOT 1
- Shell script resource to be re-created in each apply
- Provider does not work with terraform refresh
- Document what JSON types are permitted HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-shell.