Resource should support Terraform state backends #39
Comments
|
We are currently using terraform within our concourse pipeline with the local backend through custom tasks, including a task that pushes terraform state file into git. See orange-cloudfoundry/cf-ops-automation#1 (although we are in the process of pushing our pipeline automation: the repo is still empty today.) We hope the support for the local backend in this concourse terraform-resource could help us leverage the out meta-data file to push the provisionned resources (say Iaas network id) down in our pipeline (e.g. into the bosh-director cloud-config). Eventually, we'd like to push the terraform state into directly into credhub, possibly through a future credhub terraform backend (see orange-cloudfoundry/terraform-provider-cloudfoundry#20 (comment)). We'd love to hear if there is interest in such credhub TF backend and credhub TF provider in the cloudfoundry community. /CC @o-orand @ArthurHlt |
|
@gberche-orange out of curiosity, why did choose Still thinking about how to implement this issue but this use case does help show a use case where the build-in S3-compatible backend isn't sufficient. |
|
EDIT: It was late and I was wrong about the behaviour I have expected from terraform, this is a new way to do the trick (this was my second options). I've made too much change from my first comment that's why I've created new comment |
|
I'm working with @gberche-orange and I will be happy to give some useful information to help: First, about the check command, this is not necessary in concourse to implement a But with this resource have a check will be useful and with new changes inside terraform this is pretty easy to create such function without any third-party storage which was created in this repo. The Like terraform pull/push from remote state file efficiently I didn't answer about your original question when you have answered to @gberche-orange this was, for them, the easiest solution when you don't have any supported backend by terraform that's why they plan to move to another backend and why not a secured one. |
The Concourse team is planning a change that all resources must implement check to get metadata, issue.
The I think the new Terraform workspace feature might be a good fit. I'll need to play with it a bit more but I'm optimistic that the resource will be able to leverage this feature. At the moment, S3 and consul are the only backends that support workspaces but I'd imagine more could be added. A credhub remote backend sounds nice, but I'd feel uneasy adding support for the local backend as it is too easy to for a concourse user to make a mistake in a bash script and get your state files out of sync. |
|
Well, i've just misspoke, I'm not sure about what you mean with random env_name, could you explain ? As a user i don't need that one resource can manage multiple terraform environment, if i need so i will simply create another resource entry. I can be wrong but I'm wondering what is the usecase to have multiple environments in one configuration ? It is already possible to encrypt/decrypt state file with S3 from aws and encryption will arrive on terraform (see proposal: hashicorp/terraform#9556 ), it seems that it's easy if user decide to modify directly the |
|
@ArthurHlt one of the primary use cases of this resource is managing a large pool of uniform environments. This can be done by setting For encryption, this resource support
Again, I wouldn't want to encourage this as it's easy to make a mistake in a bash script, CI fails before git pushing your state file, and your state files are now out of sync. |
|
thanks @ljfranklin for your answers
Thanks for your suggestion to mix S3 and then still push to our git backend. We'll discuss the following impact in our team and will give it a try:
I understand your concern. Our pipeline currently does not allow user scripts to touch the state file directly. Instead modifications need to be pushed to git, preserving auditing and integrity. See related code at https://github.com/orange-cloudfoundry/cf-ops-automation/blob/a0da05b36bce43764f3f98c5072afd1da492be8f/concourse/pipelines/template/depls-pipeline.yml.erb#L979-L1001 But I can see how a native concourse usage could allow this. Would you be more comfortable to have the terraform-resource supporting a git storage driver instead of a raw local terraform backend ? |
In the short-term I'd like to move away completely from the current custom S3 backend and instead leverage the official terraform remote state backends directly: https://www.terraform.io/docs/backends/types/s3.html. I view this resource as a thin wrapper around the Terraform CLI, so I wouldn't want to add a custom backend that doesn't exist in Terraform. |
|
Started working on adding backends, you can see the proposed property changes here. Unfortunately this work is currently blocked as Terraform backends don't allow you to store the plan file in a way that is compatible with this resource. Longer discussion here hashicorp/terraform#16061 which indicates there are long-term plans to store plans in the backends but there's no timeline at this time. |
FYI, @ArthurHlt produced the following implementation of the terraform http backend backed by credhub: https://github.com/orange-cloudfoundry/terraform-secure-backend This is still early work, and we're welcoming feedback. |
Could |
Yeah. Now that I'm back from vacation I'll try to put some time into finishing the backend support work over the next couple weeks. Once that's done I can push a separate docker image with backend support, but no plan file support. I'll probably still wait to make backends the default until the plan feature works. |
|
great, thanks Lyle |
|
@gberche-orange apologies for the delay on this, was waiting for some Terraform features to land before finishing the first pass on the backend work. Branch is here: https://github.com/ljfranklin/terraform-resource/tree/WIP-tf-backends#backend-beta. Please give it a spin and let me know if you run into issues, especially confusion around anything in the README. |
|
thanks @ljfranklin , I hope to be able to test with terraform-secure-backendthe and provide feedback in the coming weeks |
|
Hi, I've been testing the new tf backend functionality the last couple of days and so far it's working good. Although the fact that it doesn't support the plan and apply in two steps is sort of a deal-breaker for us. Maybe a workaround for now would be to give more flexibility to the user, by providing the plan file as an output of the I understand that you don't want to depend on other resources to support the plan&apply in two steps, but in my opinion having that is better than having nothing, and it would be optional anyway. Also, this resource already depends on the |
@iuriaranda Unfortunately, you can't. Somewhat surprisingly a |
|
hmmm ok, I see. Then the options are limited indeed. Either we wait until Terraform supports storing plans in the backend (which doesn't seem to be happening any time soon), or we implement a custom s3-based solution inside this resource, which is not ideal neither. 🤔 |
|
@iuriaranda If you're using s3 as your backend, you can go back to using the |
|
@ljfranklin yes we're using S3 as our Terraform backend. So if I understand correctly, the custom S3 storage backend implementation in The reason I wanted to try out the For now we're just using custom tasks to run Terraform, and moving the plan file from the |
Unfortunately no, I shouldn't have used the word "backend" so many times in my previous comment. The |
|
ok, thanks for the clarification. We'll keep using our own custom implementation for the moment, but we'll keep an eye on this issue as we would like to move to this resource whenever possible in the future. |
|
@ljfranklin Thanks for working on this. We have a use case where we would like to set the s3 object acl (this is an option in the terraform s3 backend), so for that reason I have tested out this beta image. It seems to work for that use case (object acl) but we rely on the plan_only feature for pull requests, we don't actually need the plan file at all but it is nice to run plan only for pull requests. |
|
Hi I'm curious if this is still open and worked on? I'm using concourse and terraform but I use the azure backend and it's blocking me from using this. |
|
I've been kind of dragging my feet in the hopes that Terraform would support storing the plan files in the backend directly. But this issue hasn't moved at all. At this point I'll probably have to add some workaround hack to store the statefile using the backend configuration. The idea that comes to mind is using like this stateful provider to storage some arbitrary string in a state file. That way the resource could generate a plan file then store the contents of that file using the |
|
@ljfranklin Thanks for updating this issue. I have been using the If you plan on making any breaking changes to the Thanks! |
Backends: https://www.terraform.io/docs/backends/index.html
Unfortunately this resource can't use the built-in remote state backends at all right now. Concourse resources are required to implement a
checkfunction that can look for new versions of a resource. To have tighter control over the state files, the resource currently supports only S3. However, now that backends are listed directly in the Terraform config files it becomes even more desirable to support all the backends. I'll have to do some more thinking on this.The text was updated successfully, but these errors were encountered: