Terraform is a multi-cloud viable IaC technology and breaks the functionality to communicate with specific cloud provider APIs (SaaS providers or other APIs) down to providers.
A provider is a logic module that you use to interact with a specific cloud provider like AWS.
Terraform providers can be categorized into community-driven providers and those providers maintained by the Hashicorp team directly.
Specifying a Provider
A provider must be specified in the root module of a Terraform project.
It is a best practice to define the provider in a [providers.tf](http://providers.tf)
separate from the actual IaC scripts in the root module. This makes it easier to locate the provider configuration in a Terraform project.
But it is theoretically possible to place a provider configuration in one of the Terraform scripts of the root module.
It is a best practice to expose credentials and configuration values through variables in the provider configuration, so you don’t have to hard code any values or potentially commit them to Github.
AWS Provider
The AWS provider can be configured with a profile or direct technical user credentials through the AWS_SECRET_KEY
and AWS_SECRET_ACCESS_KEY
.
The provider requires basically two things
- your
region
- credentials for your AWS account (technical IAM user)
Specify Credentials through AWS Profile
Providing the credentials through the ~/.aws/credentials
file that stores one or multiple access and secret access keys for AWS profiles is a good practice. You may change the profile in the future or rotate the AWS credentials of the technical users which has an immediate effect on the provider.
This has also the added benefit that you don’t have any hard credential values in your code files.
The Terraform provider config will assume that your AWS credentials file is on path ~/.aws/credentials
by default, but you can specify a custom path with shared_credentials_file
.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.41.0"
}
}
}
provider "aws" {
region = "${var.region}"
profile = "${var.profile}"
}
Specify Credentials directly
You can specify an AWS IAM user directly in the provider configuration through the access_key
and secret_key
parameters.
Do not hard-code any secrets into the provider config in this case and make sure you use environment variables and declare variables (without default value) for these credentials.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.41.0"
}
}
}
provider "aws" {
region = "${var.region}"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
}
The variables in this case can be defined through
- the CLI:
-var access_key="..." -var secret_key=".."
- environment variables:
export TF_VAR_access_key="..."; export TF_VAR_secret_key="..."
Top comments (0)