feat/global-provider-configurations-terraform-dynamic-variables-secure (

#4) * refactor: Update global provider configurations for consistency and security Centralize global Terraform provider configurations for Cloudflare and AWS to ensure consistency across all Terragrunt child configurations. Enhance security by securely sourcing sensitive information from environment variables. This approach enables dynamic, environment-specific configurations while promoting best practices in security and infrastructure code management. * feat: Add explanation about provider inheritance in README.md
Excoriate · Apr 14, 2024 · b2f2ac1 · b2f2ac1
1 parent 1ba61e7
commit b2f2ac1
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 40 deletions.
diff --git a/infra/terraform/live/_providers/README.md b/infra/terraform/live/_providers/README.md
@@ -69,3 +69,6 @@ generate "providers" {
   contents  = join("\n", local.providers_cfg.locals.providers_content)
 }
 ```
+This configuration is then utilized in the terragrunt.hcl file to ensure that each child configuration inherits the provider settings, maintaining consistency across all deployments.
+
+It's important to notice that if the provider is defined in this layer (**global**), it's going to be inherited by all the child modules. If you want to **specify a provider that is LOCAL** to a specific module, you should define it in the file `providers.hcl` file of that module, which has exactly the same structure.
diff --git a/infra/terraform/live/_providers/config.hcl b/infra/terraform/live/_providers/config.hcl
@@ -1,56 +1,56 @@
 locals {
   # ---------------------------------------------------------------------------------------------------------------------
-  # PROVIDER CONFIGURATIONS
-  # This section centralizes the configuration of Terraform providers, such as Cloudflare and AWS, using Terraform's
-  # heredoc syntax for inline definition. This approach allows for dynamic, environment-specific configuration of
-  # providers through environment variables, enhancing the flexibility and security of provider setups. Direct use of
-  # heredoc syntax within the Terragrunt configuration eliminates the need for external template files, streamlining
-  # the codebase and simplifying the management of provider configurations.
+  # GLOBAL PROVIDER CONFIGURATIONS
+  # This section outlines the centralized configuration for Terraform providers such as Cloudflare and AWS,
+  # applicable across all Terragrunt child configurations in the project. Using Terraform's heredoc syntax,
+  # we define providers' settings inline, promoting dynamic, environment-specific configurations through
+  # environment variables for enhanced flexibility and security.
   #
-  # Each provider configuration includes:
-  # - `enabled`: A flag (sourced from an environment variable) indicating whether the provider should be configured.
-  #              This allows for conditional inclusion of providers based on the deployment context or environment.
-  # - `content`: The Terraform configuration for the provider, including authentication details and any other
-  #              provider-specific settings. Sensitive information, such as API keys, is securely sourced from
-  #              environment variables.
+  # This configuration is pivotal as it merges with 'providers.tf' settings generated in all child configurations,
+  # ensuring consistency and minimizing redundancy across the codebase. Sensitive information like API keys
+  # is securely sourced from environment variables, adhering to best practices in security and configuration management.
   #
-  # This modular and dynamic approach to configuring providers supports best practices in security and infrastructure
-  # code management, enabling selective provider use and environment-specific configurations without altering the
-  # core codebase.
+  # Key details include:
+  # - `enabled`: A boolean, sourced from environment variables, controls whether the provider is active.
+  # - `content`: Contains the Terraform code for setting up the provider, emphasizing secure practices by pulling
+  #              sensitive credentials from environment settings.
+  #
+  # The approach allows for selective activation of providers per environment without altering core code,
+  # thus supporting a modular, secure, and maintainable infrastructure codebase.
   # ---------------------------------------------------------------------------------------------------------------------
   providers = {
-    cloudflare = {
-      enabled = get_env("TG_PROVIDER_CLOUDFLARE_ENABLED", false)
-      content = <<EOF
-provider "cloudflare" {
-  email   = "${get_env("CLOUDFLARE_EMAIL", "")}"
-  api_key = "${get_env("CLOUDFLARE_API_KEY", "")}"
-}
-EOF
-    },
-    random = {
-      enabled = get_env("TG_PROVIDER_RANDOM_ENABLED", true)
-      content = <<EOF
-provider "random" {}
-EOF
-    },
-    aws = {
-      enabled = get_env("TG_PROVIDER_AWS_ENABLED", false)
-      config  = null
-      content = <<EOF
-# AWS provider configuration can be defined here if necessary.
-# Currently disabled and thus, no configuration provided.
-EOF
-    }
+    # Example for Cloudflare, uncomment and modify as necessary
+    # cloudflare = {
+    #   enabled = get_env("TG_PROVIDER_CLOUDFLARE_ENABLED", true)
+    #   content = <<EOF
+    # provider "cloudflare" {
+    #   email   = "${get_env("CLOUDFLARE_EMAIL", "email@example.com")}"
+    #   api_key = "${get_env("CLOUDFLARE_API_KEY", "your_cloudflare_api_key")}"
+    # }
+    # EOF
+    # },
+    # Example for AWS, with conditional enablement
+    # aws = {
+    #   enabled = get_env("TG_PROVIDER_AWS_ENABLED", false)
+    #   content = <<EOF
+    # provider "aws" {
+    #   region = "us-west-2"
+    #   access_key = "${get_env("AWS_ACCESS_KEY")}"
+    #   secret_key = "${get_env("AWS_SECRET_KEY")}"
+    # }
+    # EOF
+    # },
     # Additional providers can be added here following the same pattern.
   }
 
   # ---------------------------------------------------------------------------------------------------------------------
   # PROVIDERS CONTENT
-  # Generate the providers' configuration content only for enabled providers.
+  # Aggregates provider configurations into a cohesive block only for those that are enabled, to be injected into
+  # the respective 'providers.tf' files across all child configurations. This ensures that all Terragrunt modules
+  # have access to a consistent set of provider settings, potentially overridden by local definitions if specified.
   # ---------------------------------------------------------------------------------------------------------------------
   providers_content = [
     for provider, details in local.providers : details.content
-    if details.enabled
+    if details.enabled && details.content != null
   ]
 }