/terraform-provider-tfstate

Terraform Provider to generate tfstate file with outputs only

Primary LanguageGo

Terraform Provider to generate tfstate with outputs only

Build Status

A logical provider that can be used to generate a pseudo Terraform State file, containing outputs only.

Why?

Terraform Remote state is a useful way to transfer values between Terraform environments but it requires the state reader to have access to the entire state file, which may contain sensitive data. Using this resources it's possible to generate a pseudo .tfstate file containing just the outputs without exposing internal details of the full Terraform config. Additionally, permissions on the pseudo .tfstate file can be set independently of the real .tfstate file, or it could be stored in a different location that is more accessible to be consumed by downstream configs.

Known Limitations

Due to current limitations with the Terraform type system, it's only possible to use string typed values in the outputs. Use Terraform interpolation functions such as join, keys, values, list, zipmap to encode/decode maps and lists to/from strings.

Using the provider

tfstate_outputs resource

Basic Example

// generate outputs 
resource tfstate_outputs "test" {
  output {
    name  = "foo"
    value = "bar"
  }

  output {
    name  = "baz"
    value = "bam"
  }
}

// write the tfstate to file, so it can be read from another Terraform module/config
resource "local_file" "state_outputs" {
  content  = "${tfstate_outputs.test.json}"
  filename = "${path.module}/terraform.tfout"
}

In another module / config

data "terraform_remote_state" "upstream" {
  backend = "local"

  config {
    path = "../terraform.tfout"
  }
}

output "upstream_foo" {
  value = "${data.terraform_remote_state.upstream.foo}"
}

Argument Reference

  • output - a list of output blocks with the following structure:
    • name - the name of the output
    • value - the output value
    • sensitive - (OPTIONAL) does this output contain sensitive data. NOTE this flag has no impact on the behaviour of this provider, but the sensitive flag may be used downstream

Attribute Reference

  • json - the generated tfstate in JSON format
  • serial - an auto incrementing integer representing the version of the resource

Development Requirements

  • Terraform 0.11.x
  • Go 1.10 (to build the provider plugin)

Building The Provider

Clone repository to: $GOPATH/src/github.com/sl1pm4t/terraform-provider-tfstate

$ mkdir -p $GOPATH/src/github.com/sl1pm4t; cd $GOPATH/src/github.com/sl1pm4t
$ git clone git@github.com:sl1pm4t/terraform-provider-tfstate

Enter the provider directory and build the provider

$ cd $GOPATH/src/github.com/sl1pm4t/terraform-provider-tfstate
$ make build

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make bin
...
$ $GOPATH/bin/terraform-provider-tfstate
...

In order to test the provider, you can simply run make test.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

$ make testacc