Community Office Hours: Terraform

Join us weekly on Thursdays for Community Office Hours focused on Terraform and its providers. Please use this thread to ask technical questions to be answered during the 60-minute live office hours.

During Community Office Hours, we will have experts available to provide advice on technical architecture, give recommendations for operational best practices, review current Github issues, or dive into the open source-code itself.

The hosting teammates will reference this thread during each Community Office Hours focusing on Terraform and its providers.

Keep up with the schedule here and join us live soon!

Interested in catching up with previous Community Office Hours? Check out the recordings here.

My company created an internal set of modules that we’re required to use. Each of the modules has a provider block (for aws).
I want to call the corporate modules, but redefine the provider block in order to use localstack endpoints
When I run the modules, it seems like the provider block in the module is taking precedence. Is there a way for me to make terraform use my provider block?

Good morning,

My current organization is not using terraform and I am spear-heading the effort to make that statement no longer true.

I am currently writing a white paper on the security of Terraform in the Enterprise and I am struggling to find any source code security documentation. Is there anything public that I can link to in my paper?

Did you try passing-providers-explicitly

Not sure if this is the correct Office Hours as my questions are all specific to the AzureRM provider.

  1. Is there interest in resources that aren’t backed by ARM? If so is there any recomendation on how to go about implementing this?
    Context: I want to configure Stored Access Policy for a container and a queue in order to provide revokable SAS tokens.
  2. There are mulitiple resource types, that if they fail after creation, but before creation is complete do not add the resource to the state. This makes cleaning up the problem a very manual process. Is this pattern intentional or would you be open to PRs that ensured the resource was added to the state as long as the initial creation succeeded?
    Context: #9713 and #9717 for concrete resources I’ve stumbled across this problem due to missing permissions for the user running terraform on the initial run.
  3. How to resolve differences of opinion in PRs, and how to highlight PRs that are close for being ready for a proper review?
    Taking a concrete example, on #10030 I suggested splitting one of the input params in two then Neil came in and suggested the opposite and progress on the PR seems to have stopped in the confusion/uncertainty of the correct way forward.

Office hours question:

I am developing a Terraform provider that creates a resource ( A ) and as part of that process, the provider and the resource negotiate a key that should be considered secret. We want to then immediately use this key in another resource ( B ) that will use the key to access the resource A . Also, for B to use A it needs access to multiple additional pieces of information, like IP address and name

  1. Is it acceptable to store secrets in the Terraform state (in the resource output, and used in a resource input)?

  2. To keep the provider user from having to use reference multiple fields, would it be acceptable to pack multiple fields worth of information into a single field?

  3. What if the “key” in this case was a kilobyte or more of data, (for example: it was a PEM encoded public or private key). Would there be any concerns about the size of the state file if this field was referenced multiple places?

Thanks in advance for reviewing this question. I look forward to hearing your answers.

1-its not secure so you store it in backend like s3 ,dynamodb , artifact and other option store it in vault

2- as output would be good for example using * to declare all resource but as reference to resource , needing to be validate it and interaction and conflict it with count index .

3- yes , if is it possible to compress it state file to minimum would be good or better to use backend

Office Hours Question:

When trying to Publish a provider ( terraform-provider-zededa) to trraform Registry,

We have followed all the steps indicated in “Publishing Providers” section:

We are trying to publish the provider from the following GitHub repo:

The following link from registry.terraform.io indicates the provider as already published:
https://registry.terraform.io/publish/provider/github/zededa

But when I click on the link, the page hangs ( keeps on loading - never completes ).
And “terraform init” command fails for the provider.

Can you please help with fixing this? What step is missing here?

I see that the webhook is missing from the repo. Since the provider page is not loading, we are not sure how to fix this? The document indicates that I need to do a “resync” once that page loads.

I emailed registry support multiple times, but did not get any response. Would appreciate if we can discuss how to fix this issue.

BTW… I have emailed terraform-registry@hashicorp.com - and here is the ticket request:
HashiCorp Help Center