-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic provider configuration assignment #25244
Comments
Hi, |
Just to link the issues, see also #19932 for multiple provider instantiation. |
can someone from Hashicorp bother himself and answer, Issue is open for a year now!!! |
Indeed. Without a workaround feature, this is a fundamental weakness of making post-auth information like region conventionally part of the provider rather than a more normal input to the resource, and as such, terraform becomes unreasonably verbose for expressing non-trivial architectures. |
This comment may help people here as well: #29840 (comment) Again, not tested for more than one, but I think it should just work. |
Another use-case many practitioners have is for_each on modules with providers. The most recent use-case:
Let's simplify the desired outcome of this feature: data "http" "classrooms" {
url = "https://internal-ws-based-on-non-tech-users-input/classrooms.json"
}
module "classrooms" {
for_each = data.http.classrooms.value
source = "./modules/classroom"
name = each.value.name
}
resource "aws_s3_bucket_object" "all_classrooms" {
bucket = "..."
key = "classrooms.json"
content_base64 = base64(json_encode([for c in module.classrooms: {
"name" = c.name,
"url" = c.url
}]))
} so that we just leave the auto-approve to terraform and run it as background job in Terraform Cloud or anywhere else every 30 minutes, having no bothering to change the HCL files through GIT every time we need to add a new classroom. But this is not possible because of this bug. some folks have solved the similar problem with code-generating the classroom equivalent modules via bash script, but this cannot really be done as a single-state apply... theoretically we can hack this around via github_repository_file, and use |
@jbardin any updates on the roadmap for this feature? |
@nfx, from what I understand this feature is very difficult to implement, because it would require major changes to the way Terraform works internally. With the basic idea that providers must exist and be setup before "running". But I agree that something like a dynamic provider would be great. Another common use case is one Terraform state that manages both a AWS EKS Kubernetes cluster with the AWS provider and Kubernetes resources with the Kubernetes provider. Currently there is basically no straight-forward way to do both things in the same state. The official recommendation is to split the creation of the cluster and the management of cluster internals into two states. |
@trallnag of course the feature might take time, so i'm asking for timelines here. those workarounds are not acceptable in the long term =) |
Any news about it? I'm facing the same issue |
could everyone with Hashicorp contact/subscription try reaching up? probably it's the only way to prioritize this. |
Yeah def annoying, I'd love to get an update on this too |
It is really good to have this kind of feature in terraform DSL. However this can be achieved (to some extent) if using terraform CDK. But terraform CDK cannot be used in production yet. :( |
@spareslant, ah okay, thanks for the details. So it's using several stacks / layers / states just like one would in vanilla Terraform. Just wrapped in one program / script. |
I've done a little more research into what it might take to support this today. There are some significant architectural challenges to overcome before we could support dynamically associating a provider configuration with a resource, rather than treating that as a static concern before expression evaluation. The key challenges I've identified in my initial (failed) prototyping spike are:
My focus here was on the problem of dynamically assigning existing provider configurations to individual resource instances. Although it's thematically connected, from a design and implementation standpoint that's actually pretty separate from the other desire to dynamically define provider configurations (e.g. #19932), and so I've not considered that here. That desire has a largely-unrelated set of challenges that involve the same problem that makes providers declared inside child modules not work well today: a provider configuration always needs to outlive all of the resources it's managing so that it can be around to destroy them, whereas declaring them dynamically makes it quite likely that both the provider configuration and the resource would be removed systematically together. If anyone would like to investigate that set of problems, I suggest discussing that over in #19932 instead so that we can keep the two research paths distinct from one another. |
Are we saying that in Terraform, the "provider" identified to install when running As much as I love terraform, this issue pushes me to leverage CloudFormation. |
One use case is Multiple Regions
|
are there any timelines for implementing this, @apparentlymart ? |
Same here, Dynamic EKS configuration so I need a dynamic provider to apply helm.
|
Hello @apparentlymart , any update about this issue? we're facing it too, thanks in advance |
Guess this will never happen :-( |
It may not help much, but for Azure specifically, and where the intent is to e.g. for_each through a module and pass in the target deployment scope (Subscription or Subscription and resource group) per instance, rather than duplicating code (which get's messy with hundreds of subscriptions), there is the option of using the Azure AzApi provider as I've provided an example of here: https://github.com/kahawai-sre/azapi-nsgs-demo |
Seriously? Two years and a feature which would be native to most DSLs and the most basic programming language is not present? At this point I might as well consider pulumi. |
we are noticing some resources allow provider configuration to overwrite right on the resource level, which seems like a convenient option: https://registry.terraform.io/providers/TelkomIndonesia/linux/latest/docs#provider-override |
That would be a nice workaround! |
This would almost completely solve the issue, at least for many people. A lot of people already generate the providers configuration one way or another and it wouldn't be much of a problem to generate this list. The crux of the problem is that you also need to generate the entire I completely understand the concerns around removing the provider before resources are destroyed and understand the design decisions around that. I've run into the issue on older versions of Terraform and it's definitely not fun to debug (if you don't know the root cause). But giving us some way to pass a provider alias without generating a I'm going to try |
Any progress? |
This issue has been open for quite some time.. At least give us an provider override. |
Wanted to add a use case here -- I'll be looking through the workarounds listed here to see if any of them will work. We use the SAP BTP Terraform provider. It can create CloudFoundry environments, which we then use the CloudFoundry provider to work with. The challenge: We don't have control over the CF API URL that SAP BTP will generate. The URL might be The challenge comes when wanting to now use that API URL along with my CloudFoundry provider block. ❌ I can't use a separate provider block in the module pass the API in a variable, because that makes this a legacy module that can't use So my only options (so far; still reading this thread) seem to be:
|
The 3rd option is to write a preprocessor stage that generates the appropriate The way we do it is like this:
There are still a bunch of downsides. For example depending on this feature https://developer.hashicorp.com/terraform/language/files/override) is non-intuitive and feels brittle. I dislike preprocessor steps in general for this reason. Your IDE will have no idea these files will exist and static analysis tools won't be aware of them either. You still can't loop over anything, you must define individual I do prefer this to generating actual TF code via another lnaugage because you can at least add some comments explaining what is happening, and it's not like more resources are popping into existence out of no where. But this mechanism is arbitrarily powerful and can solve a few unsolved problems related to limitations in terraform. For example we already use this to override module sources (which cannot be variablized) in restricted environments where the module source URL is different. It's a bit hacky, relying on a regex to directly parse the TF files, but it's been extremely reliable. Of course, every home-grown implementation of terraform workarounds seems to eventually resemble Terragrunt, so that might be something you want to check out. My team was not familiar enough with Terraform itself to take that on ~2 years ago, so we're using vanilla terraform with separate scripts to generate backend configs, provider configs, as well as some other simple configuration scripts. I did try to make things relatively consistent with Terragrunt so if they want to migrate later they can, but it's probably worth looking into if you're on a smaller team / company or working by yourself. |
Hello, provisioning a resource and then requiring a provider to configure said resource is not an uncommon pattern. For example, creating a Databricks workspace and then using its ID to configure the Databricks provider. I was surprised to learn today that this is not supported. This is a glaring oversight. I'm shocked that this is still unresolved after 4 years. |
This comment was marked as off-topic.
This comment was marked as off-topic.
An example of a place you may want to do this is where you have a single/uncomplicated resource like an "aws_iam_account_password_policy" and you want to set that across 20+ accounts. It's a pain in the butt defining each one individually. I would love Terraform to support this without third-party tools. |
This is going to be a critical feature for managing multiple child accounts automatically. Since we currently lack it, we are reconsidering our tooling choices and looking forward to using AWS StackSet to achieve this goal. We'll be happy to use Terraform for that, though. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Does this mean if I have say a Kafka prodvider in a Kafka-topics module I could define an empty provider def in the root, and then in the module have an override for the provider for th exact broker/cluster they wanted to add a topic to? Or would I still error when planning because the provider config was changed by a module. And if only define it in the module resource cleanup is a two step issue? I am dealing with NG with these issues for providers to manage MySQL and Kafka users that are a root->mysql_cluster_module->mysql_provider->mysql_user.module->mysql_user_resource. I would love a pathway let each module call connect to its own server and know how to clean itself up Right now I need a plan to remove users, then another to remove the whole module call. |
Current Terraform Version
Use-cases
It would be nice to be able to create dynamic providers. The main reason for my usage would be for aws assume_role. I have Terraform to create a number of AWS Subaccounts, and then I want to configure those subaccounts in one apply, instead of breaking them up across multiple apply steps.
Currently this is done via modules, but with 0.12, I had to manually define copies of the modules for each subaccount.
As said by the 0.13 modules doc: https://github.com/hashicorp/terraform/blob/master/website/docs/configuration/modules.html.md#limitations-when-using-module-expansion
Attempted Solutions
Source for
./modules/organisation-group
:Source for
./modules/organisation-account-config
:Proposal
Module
for_each
:Provider
for_each
:This doesn't look as clean, but appeases the docs saying:
References
The text was updated successfully, but these errors were encountered: