Skip to content

Commit

Permalink
feat!: Work around terraform 1.10 sensitive detection
Browse files Browse the repository at this point in the history
  • Loading branch information
@s-diez
s-diez committed Dec 10, 2024
1 parent 3ccf549 commit 490952a
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 21 deletions.
19 changes: 17 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,29 @@
<!-- BEGIN_TF_DOCS -->
# Terraform Module Kustomization

This module is a convenience wrapper for the kustomization\_resource.
(https://registry.terraform.io/providers/kbst/kustomization/latest/docs)
It creates kustomization resources from a kustomization data source.

## Migration for v2

Because of changes to sensitive value detection in terraform v1.12, sensitive kinds now have their own resource.
To prevent recreation of those kinds, add moved blocks like below.

```terraform
moved {
from = module.keycloak.module.kustomization.kustomization_resource.p1["_/Secret/<Namespace>/<SecretName>"]
to = module.keycloak.module.kustomization.kustomization_resource.p1_sensitive["_/Secret/<Namespace>/<SecretName>"]
}
```

<!-- BEGIN_TF_DOCS -->


## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_kustomization_data_source"></a> [kustomization\_data\_source](#input\_kustomization\_data\_source) | This input accepts a kustomization\_build or kustomization\_overlay data source as input. | <pre>object({<br> ids = set(string)<br> ids_prio = list(set(string))<br> manifests = map(string)<br> })</pre> | n/a | yes |
| <a name="input_kustomization_data_source"></a> [kustomization\_data\_source](#input\_kustomization\_data\_source) | This input accepts a kustomization\_build or kustomization\_overlay data source as input. | <pre>object({<br/> ids = set(string)<br/> ids_prio = list(set(string))<br/> manifests = map(string)<br/> })</pre> | n/a | yes |
| <a name="input_timeout"></a> [timeout](#input\_timeout) | Timeout for create, update and delete | `string` | `"5m"` | no |

## Outputs
Expand All @@ -18,5 +32,6 @@ It creates kustomization resources from a kustomization data source.
|------|-------------|
| <a name="output_p0"></a> [p0](#output\_p0) | Kustomization resources applied with priority 0 |
| <a name="output_p1"></a> [p1](#output\_p1) | Kustomization resources applied with priority 1 |
| <a name="output_p1_sensitive"></a> [p1\_sensitive](#output\_p1\_sensitive) | Sensitive kustomization resources applied with priority 1 |
| <a name="output_p2"></a> [p2](#output\_p2) | Kustomization resources applied with priority 2 |
<!-- END_TF_DOCS -->
52 changes: 33 additions & 19 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,3 @@
/**
* # Terraform Module Kustomization
*
* This module is a convenience wrapper for the kustomization_resource.
* (https://registry.terraform.io/providers/kbst/kustomization/latest/docs)
* It creates kustomization resources from a kustomization data source.
*/

terraform {
required_providers {
kustomization = {
Expand All @@ -31,33 +23,50 @@ variable "timeout" {
description = "Timeout for create, update and delete"
}

locals {
p1_sensitive_ids = toset([
for id in var.kustomization_data_source.ids_prio[1] : id
if contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", id)["group_kind"])
])
p1_nonsensitive_ids = setsubtract(var.kustomization_data_source.ids_prio[1], local.p1_sensitive_ids)
}

# first loop through resources in ids_prio[0]
resource "kustomization_resource" "p0" {
for_each = var.kustomization_data_source.ids_prio[0]

manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(var.kustomization_data_source.manifests[each.value])
: var.kustomization_data_source.manifests[each.value]
)
manifest = var.kustomization_data_source.manifests[each.value]
timeouts {
create = var.timeout
update = var.timeout
delete = var.timeout
}
}

resource "kustomization_resource" "p1_sensitive" {
for_each = local.p1_sensitive_ids

manifest = sensitive(var.kustomization_data_source.manifests[each.value])

wait = true

timeouts {
create = var.timeout
update = var.timeout
delete = var.timeout
}

depends_on = [kustomization_resource.p0]
}

# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.p0
# wait for any deployment or daemonset to become ready
resource "kustomization_resource" "p1" {
for_each = var.kustomization_data_source.ids_prio[1]
for_each = local.p1_nonsensitive_ids

manifest = var.kustomization_data_source.manifests[each.value]

manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(var.kustomization_data_source.manifests[each.value])
: var.kustomization_data_source.manifests[each.value]
)
wait = true
timeouts {
create = var.timeout
Expand Down Expand Up @@ -92,6 +101,11 @@ output "p0" {
description = "Kustomization resources applied with priority 0"
}

output "p1_sensitive" {
value = kustomization_resource.p1_sensitive
description = "Sensitive kustomization resources applied with priority 1"
}

output "p1" {
value = kustomization_resource.p1
description = "Kustomization resources applied with priority 1"
Expand Down

0 comments on commit 490952a

Please sign in to comment.