-
Notifications
You must be signed in to change notification settings - Fork 787
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Top-level dependency injections/overrides #808
Comments
Hey @rmt thank you very much for this issue and sorry for the long delay. We have discussed this issue in the core team and feel that overriding the module from the outside is a wrong and potentially dangerous way of going about modifying a module. As all currently available public modules in the registry are on GitHub, we recommend forking the module in question and maintaining a fork of said module with your desired changes applied. You can submit your fork to the OpenTofu registry here. Since this feature would require significant work and be potentially dangerous to users, we have decided to not implement this feature at this time and will be closing the issue. |
That's a shame, as such a pragmatic feature would have had a quantifiable benefit, especially for enterprises, whose engineers are often hamstrung by corporate OSS-related processes thanks to legal and liability risks (it's a minefield, and only getting worse, cough EU's CRA cough). I don't quite understand the perceived danger, though. Outside of the risk that giving someone a hammer is dangerous because they might use it to hammer their own thumb, but giving hammers to users is kind of what TF does. |
Hi! When we discussed this in the core team, part of our main concern was that we don't really want to be handing out too many hammers where possible! I'm aware this could be useful, but it could also be a nightmare for module authors who put a lot of work to ensure things happen in the correct way. The reason we are recommending forking is because that involves the end user of the module to take the time to understand what is happening inside the module. Rather than just attempting overrides without full knowledge. This is more about trying to provide a "best practice" and approach to this, and whilst we are aware that forking in the enterprise world can be difficult, we still feel this would be the best approach. Our opinion here does not mean that we are 100% against this though, If other people feel strongly about this then we are happy to re-evaluate as time goes on. |
I'd like to add to the comment by @Yantrio that if we gave users a way to modify the functionality of a module, it's questionable how that would be evaluated under the CRA and you'd likely need to have a chat with legal about this anyway. |
It's quite possible that upstream modules may use functions that exist in opentofu or terraform, which would exclude the other from using said module. This opens up another use-case for a way to override or patch upstream modules after initializing (similar to kustomize for helm) modules. Would opentofu consider reopening this? Related issue Now that opentofu is merging new functions |
Hi @nitrocode we had a very thorough discussion about the benefits and drawbacks of this feature. It is our unanimous opinion that this is very similar to Aspect Oriented Programming and will lead to fragile code where you have to inspect and patch every single update of a module. This is effectively the same work you would have to do if you were maintaining a fork, except much less transparent. This feature should also not be used to work around legal and compliance requirements. To ease the pain of working with both Terraform and OpenTofu, the TSC is currently considering #1275 and we were playing with the idea of publishing an OpenTofu polyfill provider for Terraform, but there's no issue for that yet and we haven't given this any serious thought beyond the idea. Equally, if there is functionality missing from OpenTofu that's in Terraform, please open an issue so we can consider it. Our preferred solution for this would be to:
I'm happy to reopen the issue for the purposes of collecting a use case where neither of the 3 solutions above are workable and the use case isn't trying to work around legal requirements. (We don't make the laws, we may not agree with them, but I think I speak for all core devs when I say we don't want to provide tools specifically to skirt them.) |
OpenTofu Version
Use Cases
When working with third party modules, their dependencies are not always suitable to your use-case, often resulting in confusion, excessive time spent on debugging and trying different approaches, and quite often hacky solutions.
Attempted Solutions
Proposal
OpenTofu could support a direct way to inject explicit dependencies from the top-level module, or with an extra configuration file specified on the command line.
Ideally, this would use the resource paths returned by "tofu state list", allowing for surgical precision. It could also support wildcards.
Such a feature would put the end-users in control and would be of clear benefit to OpenTofu users, helping to drive its adoption, while maintaining backwards compatability with terraform.
Possible HCL example (only valid in top-level module):
Alternative approaches could be:
References
No response
The text was updated successfully, but these errors were encountered: