Extend existing terraform provider?

I’ve been playing around with the Azure Terraform provider, and due to some extenuating circumstances, I need to add a custom resource. Is there an easy way to to add a new resource to an existing provider?

I’ve seen this SO question, which exactly what I’m trying to do, but the answers are not terribly helpful.

Things I have tried:

  • Trying to extend the existing schema/provider function from my provider and use that. I couldn’t get it to work, and it’s not a maintainable solution (I’d bet we will have more corner cases, and I’d prefer to keep the resources separate if possible).
  • Use local-exec - this isn’t an option because of how my company does network security. We currently don’t have the private link established on-prem => cloud, and even if we did, SSH is explicitly disallowed.
  • Playing around with the provider function to see if there was more trickery there that could be done. It’s not clear to me that I can grab the original provider’s credentials.

So, is this possible? If not, what are my options?

The next thing I’m considering trying is making an extremely stripped-down fork of the original provider and setting up an aliased provider with the same credentials. While this would work, it’s also not a great solution.

Hi @rosshinkley,

Unfortunately Terraform providers are not extensible via external Go code. They are distributed as compiled Go programs and so their functionality is fixed to the code that was present at the time of compilation.

The only viable options I can think of for your situation are:

  • maintain a full fork of the provider with the additional functionality you want
  • contribute the new functionality you need to the main provider repository via a pull request
  • write a new provider that uses the Azure SDK directly and implements whatever functionality you need (in this case, you’d need to provide similar provider configuration functionality to obtain credentials, etc, but if you support the same external auth mechanisms from the main provider then both the azurerm provider and your custom provider should be able to find and use those credentials)

We recommend not including credentials directly in the Terraform configuration anyway. Terraform providers often allow that in order to support more complex situations, but the primary way to provide credentials to a Terraform provider is via external “ambient” mechanisms like environment variables and vendor-specific credentials files.

For Azure in particular, that means either using CLI authentication, the managed service identity environment variables, client certificate environment variables, or service principal environment variables. If your separate provider were to support one or more of these itself (using similar logic as the azurerm provider does) then you could avoid the need to separately configure credentials for both providers.