Can anyone help me with:
variable "dir" {
type = string
}
variable "data" {
type = map
default = {}
}
# kustomize build dir -> single raw manifest
data "external" "kustomize_build" {
program = ["bash", "${path.module}/kustomize_build.sh"]
query = {
dir = var.dir
}
}
# template raw manifest -> templated raw manifest
data "template_file" "kustomize_template_raw" {
template = data.external.kustomize_build.result.raw
vars = var.data
}
# kubectl diff templated raw manifest -> random trigger
data "external" "kubectl_diff" {
program = ["bash", "${path.module}/kubectl_diff.sh"]
query = {
raw = data.template_file.kustomize_template_raw.rendered
}
}
resource "null_resource" "deploy" {
triggers = {
diff = lookup(data.external.kubectl_diff.result, "trigger", "null" )
}
provisioner "local-exec" {
command =<<SCRIPT
echo "$RAW" | kubectl apply -f -
SCRIPT
environment = {
RAW = data.template_file.kustomize_template_raw.rendered
}
}
provisioner "local-exec" {
when = destroy
command =<<SCRIPT
echo "$RAW" | kubectl delete -f -
SCRIPT
environment = {
RAW = data.template_file.kustomize_template_raw.rendered
}
}
}
It produces:
Warning: External references from destroy provisioners are deprecated
...
Destroy-time provisioners and their connection configurations may only
reference attributes of the related resource, via 'self', 'count.index', or
'each.key'.
References to other resources during the destroy phase can cause dependency
cycles and interact poorly with create_before_destroy.
(and one more similar warning elsewhere)
Problem is that I can not pass data.template_file.kustomize_template_raw.rendered to triggers map, that would be visible in terraform apply/plan. ( contain secrets )
How can I pass it to destroy provisioner ? even local_file resource will not help here.
Would be nice to have some sensitive_content block in null_resource.
In this case, $RAW variable will be not printed to output, it will piped to kubectl
Any ideas?