英文:
Terraform Dynamic Provider Options
问题
我正在使用 fortios 提供程序通过 Terraform 配置我的 FortiGate 防火墙,主机名和 API 访问令牌必须直接硬编码到提供程序中,类似于以下内容:
terraform {
required_providers {
fortios = {
source = "fortinetdev/fortios"
}
}
}
provider "fortios" {
hostname = "
token = "
insecure = true
}
显然,这不是一个很好的做法,因为我要将我的 terraform 备份到 git 存储库,从而也存储了我的身份验证凭据。我理解 Terraform 在这方面的工作方式,它在处理 Terraform 代码本身之前会分析提供程序配置,因此我不能使用变量,但我想知道这里是否有任何选项?
它是否可以从环境变量或类似的方式动态传递?我看到类似的问题已经通过模块和别名解决,但这似乎并不完全适用于我的情况。
英文:
I'm using the fortios provider to configure my FortiGate firewalls through Terraform, and the hostname and API access token must be hardcoded directly into the provider, similar to below:
terraform {
required_providers {
fortios = {
source = "fortinetdev/fortios"
}
}
}
provider "fortios" {
hostname = "<host>"
token = "<api key>"
insecure = true
}
This obviously isn't great given that I'm backing off my terraform to a git repo, and therefore also storing my authentication credentials. I understand how Terraform works in this sense and that I can't use variables given that it analyses provider configuration before it processes the Terraform code itself, but I'm wondering if I have any options here?
Can it be passed dynamically from an environment variable or something similar? I've seen similar issues that have been resolved with modules and aliases, but this doesn't feel 100% applicable to my situation.
答案1
得分: 1
关于与Terraform运行的是谁或什么相关的任何信息,典型的方法是通过设置环境变量或一些其他类似的外部位置来设置,而不是在Terraform配置中设置。
特别是对于fortinetdev/fortios
,我认为这意味着将FORTIOS_ACCESS_TOKEN
环境变量设置为包含您的访问令牌,然后您可以完全省略provider "fortios"
块中的token
。
hostname
的权衡要更微妙一些,因为这描述的是Terraform正在管理的内容,而不是谁或什么在运行Terraform。在许多情况下,将Terraform正在管理的内容编码到配置中是合适的,以便与该配置一起工作的每个人都保证使用相同的设置,这种情况下,您将只设置hostname
的provider
块如下:
provider "fortios" {
hostname = "my-fortios-service.example.com"
}
访问令牌以及可以跳过TLS证书验证的断言都将存储在环境变量中,因为这些设置可能会根据运行Terraform的人以及运行位置而变化†。
在一些不太幸运的情况下,本地服务的地址太短暂以至于无法直接在配置中进行编码,这种情况下,您可能更喜欢为其声明一个输入变量,并在每次运行Terraform时为该变量提供一个值。但是,我只会考虑这作为最后的手段,只有在您无法安排所有服务都具有稳定的长期主机名时,因为这会产生一个风险,即有人可能输入错误的主机名,例如将演示配置应用于生产环境,或类似情况。
† 例如,如果您在共享的生产系统上自动运行Terraform,那么我通常期望将该系统配置为明确信任服务器的证书并且不设置“insecure”设置;我倾向于认为像这样的设置“不安全”只是在开发期间的便利,通常在开发人员的工作站上运行Terraform,这些工作站默认不信任内部服务器,因此会根据Terraform的运行位置而变化。
英文:
For any information related to who or what is running Terraform the typical approach is to set that using environment variables or some other similar external location, rather than within your Terraform configuration.
For fortinetdev/fortios
in particular I think that means setting the FORTIOS_ACCESS_TOKEN
environment variable to contain your access token, and then you can omit token
from your provider "fortios"
block altogether.
The tradeoff for hostname
is a little more subtle, because this describes what Terraform is managing rather than who or what is running Terraform. In many cases it's appropriate to encode what Terraform is managing in the configuration so that everyone working with that configuration is guaranteed to use the same setting, in which case you'd have a provider
block which only sets hostname
like this:
provider "fortios" {
hostname = "my-fortios-service.example.com"
}
The access token and the assertion that it's okay to skip TLS certificate verification would then both live in the environment variables, since those settings will presumably vary depending on who is running Terraform and where it is running†.
In some less fortunate situations the addresses of on-premises services are too ephemeral to be encoded directly in configuration like this, in which case you might prefer to declare an input variable for it and provide a value for that variable each time you run Terraform. However, I would consider that a last resort only if you cannot arrange for all of your services to have stable long-term hostnames, because it creates a risk of someone entering the wrong hostname and e.g. applying staging configuration to the production environment, or similar.
† If you were to run Terraform in automation on a shared production system, for example, I would typically expect to configure that system to explicitly trust the server's certificate and not set the "insecure" setting; I tend to consider settings like this "insecure" to be just conveniences for during development where Terraform is typically running on developer workstations that do not trust the internal server by default, and therefore varies depending on where Terraform is running.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论