Create a custom_data string with Terraform Ouputs
#667
Conversation
# Overview Currently, users have the ability to add `custom_data` to a linux VM in two ways: 1. Passing a local path to a script. 2. Directly inserting code in the `tfvars` This allows users to manually enter `custom_data` for these machines. But it does __not__ allow users to build a a string for the `custom_data` from the outputs of other Terraform outputs. # Our Use Case In our use case, we need to set the following string as the `custom_data`: ``` storage-account=stname, access-key=some-secret, file-share=myfileshare, share-directory=testdirectory ``` # Implementation The implementation isnt exactly the cleanest. It currently requires a nested `if` statement to mimic an `elif` block. In the future is others want to add other dynamically created string for `custom_data`, they will have to add other another loop.
abdulrabbani00
changed the title
custom_data string with Terraform Ouputscustom_data string with Terraform Ouputs
|
@arnaudlh @LaurentLesle Can you provide your feedback on this? What are your thoughts? |
| @@ -1,3 +1,12 @@ | |||
| locals { | |||
| dynamic_custom_data = { | |||
| palo_alto_connection_string = { | |||
There was a problem hiding this comment.
I think there is a way to abstract the name here.
var.settings.custom_data will give you the key of your dynamic attribute you want to process.
have you tried naming the key in line 3 like
(var.settings.custom_data) = { .... }
There was a problem hiding this comment.
or if I understand your objective here is to add additional items in the map like citrix_connection_string, avd_domain_join .... ?
There was a problem hiding this comment.
The latter is correct, the goal is to allow others to add new items to the map like citrix_connection_string, avd_domain_join ....
| @@ -23,6 +23,11 @@ output "primary_blob_endpoint" { | |||
| value = azurerm_storage_account.stg.primary_blob_endpoint | |||
| } | |||
|
|
|||
| output "primary_access_key" { | |||
There was a problem hiding this comment.
Our original design objective was not to put keys as much as possible in the output as they can rotate.
can't you use a data source in the vm to retrieve the key at runtime?
access-key=${var.storage_accounts[var.client_config.landingzone_key][item.palo_alto_connection_string.storage_account].primary_access_key}
There was a problem hiding this comment.
@LaurentLesle - The question I would have is this:
- If they access key rotates, does it get updated in Terraform per rotation?
- If it does get updated in Terraform, then wouldn't the output be updated as well?
- If it doesn't get updated, then would we be forced to set the key manually?
- If so, wouldn't the key be insecure as plain text in the
.tfvarsfile?
- If so, wouldn't the key be insecure as plain text in the
|
@LaurentLesle - I created the following PR in relation to this: #684 |
Overview
Currently, users have the ability to add
custom_datato a Linux VM in two ways:tfvarsThis allows users to manually enter
custom_datafor these machines. But it does not allow users to dynamically build a string for thecustom_datafrom Terraform outputs.Our Use Case
In our use case, we need to set the following string as the
custom_data, assuming a storage account, file share, and directory exist.:Implementation
The implementation I propose is to use a locals block that contains a map called
dynamic_custom_data. Here, any developer would be able to add their condition. The key would be used to reference their condition, and the value would contain the dynamic string created from Terraform outputs for each server.Our Example
The example (and use case) of this PR is the following:
*
custom_datadefined by the user in.tfvars:custom_data: palo_alto_connection_stringpalo_alto_connection_string:The following occurs:
custom_datato a key found indynamic_custom_data--palo_alto_connection_string.custom_dataobject withindynamic_custom_data.a.
palo_alto_connection_string = {...}custom_dataexists.custom_datavalue is a key inlocal.dynamic_custom_data. If it is, it will construct the value ofcustom_datausing the map that has a key with the same value ascustom_data. --var.palo_alto_connection_stringdynamic_custom_data. It will attempt to search for a file by that name, or add the string as-is.Future Use Cases
In the future, if anyone wanted to add a dynamic string, they have to do the following:
local.dynamic_custom_datacustom_datavar.dynamic_custom_data[custom_data]Questions
I understand this might be a lot to follow. Please let me know if you guys want to jump on a call to review.