scalr_provider_configuration

Resource: scalr_provider_configuration

A provider configuration helps organizations manage provider secrets in a centralized way. It natively supports the management of the major providers like Scalr, AWS, AzureRM, and Google Cloud Platform, but also allows registering any custom provider. Please have a look at the basic usage examples for each provider type.

Example Usage

Scalr provider

resource "scalr_provider_configuration" "scalr" {
  name         = "scalr"
  account_id   = "acc-xxxxxxxxxx"
  environments = ["*"]
  scalr {
    hostname = "scalr.host.example.com"
    token    = "my-scalr-token"
  }
}

AWS provider

resource "scalr_provider_configuration" "aws" {
  name                   = "aws_dev_us_east_1"
  account_id             = "acc-xxxxxxxxxx"
  export_shell_variables = false
  environments           = ["env-xxxxxxxxxx"]
  aws {
    account_type     = "regular"
    credentials_type = "access_keys"
    secret_key       = "my-secret-key"
    access_key       = "my-access-key"
  }
}

resource "scalr_provider_configuration" "oidc" {
  name                   = "oidc_dev_us_east_1"
  account_id             = "acc-xxxxxxxxxx"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    credentials_type = "oidc"
    role_arn         = "arn:aws:iam::123456789012:role/scalr-oidc-role"
    audience         = "aws.scalr-run-workload"
  }
}

resource "scalr_provider_configuration" "aws_tags" {
  name         = "aws_stage_us_east_1"
  account_id   = "acc-xxxxxxxxxx"
  environments = ["*"]
  aws {
    account_type     = "regular"
    credentials_type = "access_keys"
    secret_key       = "my-secret-key"
    access_key       = "my-access-key"
    default_tags {
      tags = {
        Environment = "Staging"
        Owner       = "QATeam"
      }
      strategy = "update"
    }
  }
}

# Use two AWS provider configurations with the same alias: one for plan phase,
# another for apply phase. When apply_only is enabled, the provider configuration
# is used only during the apply phase of the run.

# AWS provider configuration used during plan phase (default)
resource "scalr_provider_configuration" "aws_plan" {
  name                   = "aws_plan_us_east_1"
  account_id             = "acc-xxxxxxxxxx"
  export_shell_variables = false
  environments           = ["env-xxxxxxxxxx"]

  aws {
    account_type     = "regular"
    credentials_type = "access_keys"
    access_key       = "my-plan-access-key"
    secret_key       = "my-plan-secret-key"
  }
}

# AWS provider configuration used only during apply phase
resource "scalr_provider_configuration" "aws_apply" {
  name                   = "aws_apply_us_east_1"
  account_id             = "acc-xxxxxxxxxx"
  export_shell_variables = false
  environments           = ["env-xxxxxxxxxx"]
  apply_only             = true

  aws {
    account_type     = "regular"
    credentials_type = "access_keys"
    access_key       = "my-apply-access-key"
    secret_key       = "my-apply-secret-key"
  }
}

# Workspace with both provider configurations linked under the same alias
resource "scalr_workspace" "example" {
  name            = "plan-apply-aws-example"
  environment_id  = "env-xxxxxxxxxx"
  vcs_provider_id = "vcs-xxxxxxxxxx"

  vcs_repo {
    identifier = "org/repo"
    branch     = "main"
  }

  provider_configuration {
    id    = scalr_provider_configuration.aws_plan.id
    alias = "us_east_1"
  }
  provider_configuration {
    id    = scalr_provider_configuration.aws_apply.id
    alias = "us_east_1"
  }
}

To get into more advanced AWS usage please refer to the official AWS module.

AzureRM provider

resource "scalr_provider_configuration" "azurerm" {
  name       = "azurerm"
  account_id = "acc-xxxxxxxxxx"
  azurerm {
    client_id       = "my-client-id"
    client_secret   = "my-client-secret"
    subscription_id = "my-subscription-id"
    tenant_id       = "my-tenant-id"
  }
}

resource "scalr_provider_configuration" "azurerm_oidc" {
  name       = "azurerm"
  account_id = "acc-xxxxxxxxxx"
  azurerm {
    auth_type       = "oidc"
    audience        = "scalr-workload-identity"
    client_id       = "my-client-id"
    tenant_id       = "my-tenant-id"
    subscription_id = "my-subscription-id"
  }
}

Google provider

resource "scalr_provider_configuration" "google" {
  name       = "google_main"
  account_id = "acc-xxxxxxxxxx"
  google {
    project     = "my-project"
    credentials = "my-credentials"
  }
}

resource "scalr_provider_configuration" "using_service_account_impersonation" {
  name       = "google_main"
  account_id = "acc-xxxxxxxxxx"
  google {
    auth_type              = "oidc"
    project                = "my-project"
    service_account_email  = "[email protected]"
    workload_provider_name = "projects/123/locations/global/workloadIdentityPools/pool-name/providers/provider-name"
  }
}

resource "scalr_provider_configuration" "using_federated_identities" {
  name       = "google_main"
  account_id = "acc-xxxxxxxxxx"
  google {
    auth_type              = "oidc"
    project                = "my-project"
    workload_provider_name = "projects/123/locations/global/workloadIdentityPools/pool-name/providers/provider-name"
  }
}

Custom providers

resource "scalr_provider_configuration" "kubernetes" {
  name       = "k8s"
  account_id = "acc-xxxxxxxxxx"
  custom {
    provider_name = "kubernetes"
    argument {
      name        = "host"
      value       = "my-host"
      description = "The hostname (in form of URI) of the Kubernetes API."
    }
    argument {
      name  = "username"
      value = "my-username"
    }
    argument {
      name      = "password"
      value     = "my-password"
      sensitive = true
    }
    argument {
      name  = "config_path"
      value = "~/.kube/config"
      hcl   = false
    }
  }
}

Elasticsearch provider

resource "scalr_provider_configuration" "elasticstack" {
  name       = "elastic"
  account_id = "acc-xxxxxxxxxx"
  custom {
    provider_name = "elasticstack"
    argument {
      name        = "endpoints"
      value       = "[\"https://elasticsearch.example.com:9200\", \"https://elasticsearch2.example.com:9200\"]"
      description = "List of Elasticsearch endpoints."
      hcl         = true
    }
    argument {
      name        = "username"
      value       = "elastic"
      description = "Username for Elasticsearch authentication."
    }
    argument {
      name        = "password"
      value       = "my-elastic-password"
      sensitive   = true
      description = "Password for Elasticsearch authentication."
    }
  }
}

Schema

Required

• name (String) The name of the Scalr provider configuration. This field is unique for the account.

Optional

• account_id (String) The account that owns the object, specified as an ID.
• apply_only (Boolean) When enabled, the provider configuration will be used only during the apply phase of the run. Currently supported for AWS provider configuration only. This option can be set only at creation time.
• aws (Block List, Max: 1) Settings for the aws provider configuration. Exactly one of the following attributes must be set: scalr, aws, google, azurerm, custom. (see below for nested schema)
• azurerm (Block List, Max: 1) Settings for the azurerm provider configuration. Exactly one of the following attributes must be set: scalr, aws, google, azurerm, custom. (see below for nested schema)
• custom (Block List, Max: 1) Settings for the provider configuration that does not have scalr support as a built-in provider. Exactly one of the following attributes must be set: scalr, aws, google, azurerm, custom. (see below for nested schema)
• environments (Set of String) The list of environment identifiers that the provider configuration is shared to. Use ["*"] to share with all environments.
• export_shell_variables (Boolean) Export provider variables into the run environment. This option is available for built-in (Scalr, AWS, AzureRM, Google) providers only.
• google (Block List, Max: 1) Settings for the google provider configuration. Exactly one of the following attributes must be set: scalr, aws, google, azurerm, custom. (see below for nested schema)
• owners (Set of String) The teams, the provider configuration belongs to.
• scalr (Block List, Max: 1) Settings for the Scalr provider configuration. Exactly one of the following attributes must be set: scalr, aws, google, azurerm, custom. (see below for nested schema)
• tag_ids (Set of String) List of tag IDs associated with the provider configuration.

Read-Only

• id (String) The ID of this resource.

Nested Schema for aws

Required:

• credentials_type (String) The type of AWS credentials, available options: access_keys, role_delegation, oidc.

Optional:

• access_key (String) AWS access key. This option is required with access_keys credentials type.
• account_type (String) The type of AWS account, available options: regular, gov-cloud, cn-cloud.
• audience (String) The value of the aud claim for the identity token. This option is required with oidc credentials type.
• default_tags (Block List, Max: 1) AWS default tags settings. (see below for nested schema)
• external_id (String) External identifier to use when assuming the role. This option is required with role_delegation credentials type and aws_account trusted entity type.
• role_arn (String) Amazon Resource Name (ARN) of the IAM Role to assume. This option is required with the role_delegation and oidc credentials type.
• secret_key (String, Sensitive) AWS secret key. This option is required with access_keys credentials type.
• trusted_entity_type (String) Trusted entity type, available options: aws_account, aws_service. This option is required with role_delegation credentials type.

Nested Schema for aws.default_tags

Optional:

• strategy (String) On duplicate key behaviour for default tags. Available options:
  • skip: the existing tags will not be changed
  • update: the existing tags will be replaced with the new one
• tags (Map of String) Default tags to be applied to all resources created by this provider configuration.

Nested Schema for azurerm

Required:

• client_id (String) The Client ID that should be used.
• tenant_id (String) The Tenant ID that should be used.

Optional:

• audience (String) The value of the aud claim for the identity token. This option is required with oidc authentication type.
• auth_type (String) Authentication type, either client-secrets (default) or oidc.
• client_secret (String) The Client Secret that should be used, required when auth_type is client-secrets.
• subscription_id (String) The Subscription ID that should be used. If skipped, it must be set as a shell variable in the workspace or as a part of the source configuration.

Nested Schema for custom

Required:

• argument (Block Set, Min: 1) The provider configuration argument. Multiple instances are allowed per block. (see below for nested schema)
• provider_name (String) The name of a Terraform provider.

Nested Schema for custom.argument

Required:

• name (String) The name of the provider configuration argument.

Optional:

• description (String) The description of the provider configuration argument.
• hcl (Boolean) Set (true/false) to configure as HCL. When true, the value is treated as a string from which an arbitrary HCL type (list, map, etc.) will be extracted. Default false.
• sensitive (Boolean) Set (true/false) to configure as sensitive. Default false.
• value (String) The value of the provider configuration argument.

Nested Schema for google

Optional:

• auth_type (String) Authentication type, either service-account-key (default) or oidc.
• credentials (String, Sensitive) Service account key file in JSON format, required when auth_type is service-account-key.
• project (String) The default project to manage resources in. If another project is specified on a resource, it will take precedence.
• service_account_email (String) The service account email used to authenticate to GCP, required when auth_type is oidc.
• use_default_project (Boolean) If the project a credential is created in will be used by default.
• workload_provider_name (String) The canonical name of the workload identity provider, required when auth_type is oidc.

Nested Schema for scalr

Required:

• hostname (String) The Scalr hostname which should be used.
• token (String, Sensitive) The Scalr token which should be used.

Import

Import is supported using the following syntax:

terraform import scalr_provider_configuration.example pcfg-xxxxxxxxxx