mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 13:55:55 +00:00
c8d0301dd5
* docs/nia: new configuration for services condition & source_input (#11646) * docs/nia: new configuration for services condition * docs/nia: new configuration for services source_input * reword filter and cts_user_defined_meta Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update service block config to table format Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Remove deprecated driver.working_dir (#11831) * Deprecate workspace_prefix for now workspaces.prefix (#11836) * docs/nia: new config field names for services condition/source_input (#11896) * docs/nia: new config field `names` for services condition/source_input * Remove language about 'default condition' and services condition relation to services list Context: - Added a new `names` field to condition/source_input "services" - `names` or `regexp` must be configured for condition/source_input "services" This therefore: - Removed relationship between condition/source_input "services" and task.services list - Removed concept of "default condition" i.e. condition "services" must be configured with `names` or `regexp`, there is no meaningful unconfigured default Change: remove language regarding "default condition" and relationship with services list * docs/nia: Update paramters to table format Changes from a bulleted list to a table. Also adds the possible response codes and fixes the update example response to include the inspect object. * docs/nia: Delete task API and CLI * docs/nia: Update wording for run values Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com> * docs/nia: require condition "catalog-services" block's regexp to be configured (#11915) Changes: - Update Catalog Services Condition configuration docs to new table format - Rewrite `regexp` field docs to be required, no longer optional - Remove details about `regexp` field's original default behavior when the field was optional * docs/nia: Update status API docs to table format * Cleaner wording for response descriptions Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * docs/nia - 'source_includes_var' changes (#11939) * docs/nia - condition "services" new field source_includes_var - Add new configuration details for condition "services" block's `source_includes_var` field. - Note: this field's description is worded differently from condition type's `source_includes_var` since a services variable is always required (unlike other vars) for CTS modules. - Also worded in a way to anticipate renaming to `use_as_module_input` * docs/nia - change 'source_includes_var' default value from false to true - Update configs - Table-ify Consul-KV condition (reuse wording from Consul-KV source input) * docs/nia - reword task execution page for source_includes_var changes - Note: switched to using "module input" language over "source input" language. Separate PR will make a mass change across docs - Slim down general task condition section to have fewer details on module input - Updated services, catalog-services, and consul-kv condition sections for source_includes_var - Add config page links for details * Improve CTS acronym usage - Use Consul-Terraform-Sync at the first instance with CTS in brackets - Consul-Terraform-Sync (CTS) and then CTS for all following instances on a per-page basis. - some exceptions: left usage of the term `Consul-Terraform-Sync` in config examples and where it made sense for hyperlinking * Improve CTS acronym usage (part 2) (#11991) Per page: - At first instance in text, use "Consul-Terraform-Sync (CTS)" - Subsequent instances in text, use "CTS" * Update schedule condition config to table format * Update config tables with type column * docs/nia: Update required fields values Standardizing Required/Optional over boolean values. * docs/nia: Standardize order of columns Updated Required to come before Type, which is how the configurations are formatted. Also changed the empty strings to "none" for default values. * Deprecate port CLI option for CTS and updated example usage * docs/nia cts multiple source input configuration updates (#12158) * docs/nia cts multiple source input configuration updates CTS expanded its usage of `source_input` block configurations and added some restrictions. This change accounts for the following changes: - `source_input` block can be configured for a task. No longer restricting to scheduled task - Multiple `source_input` blocks can be configured for a task. No longer restricting to one - Task cannot have multiple configurations defining the same variable type Future work: We're planning to do some renaming from "source" to "module" for v0.5. These changes are made in the code and not yet in the docs. These will be taken care of across our docs in a separate PR. Perpetuating "source" in this PR to reduce confusion. * Apply suggestions from code review Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Apply suggestions from code review Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * code review feedback Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Add "Consul object" glossary entry Changes: - Add "Consul object" to CTS glossary - Format glossary terms so that they can be linked - Add link to "Consul object" glossary entry * Reorganize source_input limitations section Co-authored-by: findkim <6362111+findkim@users.noreply.github.com> Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: findkim <6362111+findkim@users.noreply.github.com> * docs/nia: overview of config streamlining deprecations (#12193) * docs/nia: overview of config streamlining deprecations * Update config snippets to use CodeTabs * Apply code review feedback suggestions Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Apply suggestions from code review Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * Clarify source table language * Add use_as_module_input callout Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * docs/nia: deprecate "services" field and "service" block (#12234) * Deprecate `services` field Did a search on "`services`", "`task.services`", "services list", and "services field" Changes: - In config docs, mark `services` field as deprecated and `condition` block as required. - For necessary references to `services` field, mark with "(deprecated)" e.g. when listing all options for source input - Remove unnecessary references to `services` field from docs e.g. any docs encouraging use of `services` - Replace `services` field with `condition` / `module_input` "services" in config snippets and explanations * Deprecate `service` block Did a search for "service block", "`service`", and "service {" Changes: - In config docs, mark `service` block as deprecated - For necessary references to `service` block, mark with "(deprecated)" - Remove unnecessary references to `service` block from docs * Fix service block typos in config snippet service block is singular and not plural * docs/nia: deprecate "source includes var" and "source input" (#12244) * Deprecate `source_includes_var` field Did a search for "source_includes_var" and an audit of "include" Changes - In config docs, mark `source_includes_var` field as deprecated - In config docs, add new field for `use_as_module_input` - For necessary references to `source_includes_var`, mark with "(deprecated)" - Audit and update "include" language * Deprecate `source_input` field and language Did a search and replace for "source_input", "source-input", "source input" Changes: - In config docs, mark `source_input` field as deprecated - In config docs, add new entry for `module_input` - For necessary references to `source_input`, mark with "(deprecated)" - Remove or replace "source*input" with "module*input" Note: added an anchor link alias e.g. `# Module Input ((#source-input))` for headers that were renamed from "Source Input" so that bookmarked links won't break * Update config streamlining release removal version to 0.8 * remove duplicate bullet * docs/nia: deprecate `source` (#12245) * Update "source" field in config snippets to "module" * Deprecate task config `source` field Did a search and replace for "source" and "src" Changes: - In config docs, mark `source` field as deprecated - In config docs, add new entry for `module` - Remove or replace "source" with "module" * Deprecate Status API Event `source` field Changes: - Mark `source` field as deprecated - Add new entry for `module` * docs/nia - Get Task API docs & Task Status API deprecations (#12303) * docs/nia - Get Task API Added a Task Object section intended to be shared with the Create Task API * docs/nia - Deprecate non-status fields from Task Status API Deprecate the fields that Get Task API replaces * docs/nia - Align API docs on `:task_name` request resource Followed a convention found in Nomad docs * docs/nia - misc fixes Context for some: - remove "" from license_path for consistency - do not specify the default value when empty string - remove "optional" language from task condition. we want to move towards it being required * docs/nia - add new columns to API Task Object * Added Create Task API documentation * Added create task CLI documentation * addressed code review comments * fixed example * docs/nia: Update task delete with async behavior CTS delete task command is now asynchronous, so updating docs to reflect this new behavior. * update create task CLI with new changes from code * update create task api and cli - update curl command to include the json header - update example task names to use 'task_a' to conform with other examples * docs/nia: Fix hyphens in CTS CLI output * docs/nia: Add auto-approve option in CLI * docs/nia: Clarify infrastructure is not destroyed on task deletion Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Kim Ngo <6362111+findkim@users.noreply.github.com> Co-authored-by: Melissa Kam <mkam@hashicorp.com> Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com> Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com> Co-authored-by: AJ Jwair <aj.jwair@hashicorp.com>
139 lines
12 KiB
Plaintext
139 lines
12 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Terraform Cloud Driver
|
|
description: >-
|
|
Consul-Terraform-Sync Network Drivers with Terraform Cloud
|
|
---
|
|
|
|
# Terraform Cloud Driver
|
|
<EnterpriseAlert>
|
|
This feature requires{' '}
|
|
<a href="https://www.hashicorp.com/products/consul/features">Consul-Terraform-Sync Enterprise</a>{' '}
|
|
which is available with <strong>Consul Enterprise</strong>.
|
|
</EnterpriseAlert>
|
|
|
|
Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://www.terraform.io/cloud). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service.
|
|
|
|
This page describes how the Terraform Cloud driver operates within CTS.
|
|
|
|
## Terraform Workspace Automation
|
|
|
|
CTS manages Terraform runs following the [API-driven run workflow](https://www.terraform.io/docs/cloud/run/api.html) for workspaces in Terraform Cloud.
|
|
|
|
On startup, CTS:
|
|
1. Creates or discovers Terraform Cloud workspaces corresponding to the configured tasks.
|
|
2. Prepares the local environment and generates Terraform configuration files that make up the root module for each task.
|
|
3. Packages the generated files and uploads them as a configuration version for the task's workspace on Terraform Cloud.
|
|
|
|
Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the Terraform Cloud driver dynamically updates input variables for that task directly as [workspace variables](https://www.terraform.io/docs/cloud/workspaces/variables.html) using the Terraform Cloud API. The driver then queues a run on the workspace, with auto-apply enabled, to update your network infrastructure.
|
|
|
|
~> **Note:** Although workspaces for tasks are executed in isolated environments, this does not guarantee the infrastructure changes from concurrent task executions are independent. Ensure that modules across all tasks are not modifying the same resource objects or have overlapping changes that may result in race conditions during automation.
|
|
|
|
## Remote Workspaces
|
|
|
|
CTS will discover or create a new workspaces based on your configured tasks. The task configuration options for `name`, `description`, and `terraform_version` are used to set the workspace name, description, and Terraform version.
|
|
|
|
[![CTS Workspace Overview](/img/nia/cts-tfc-workspace.png)](/img/nia/cts-tfc-workspace.png)
|
|
|
|
Workspace automation requirements for CTS are in place to avoid overriding other workspaces unintentionally.
|
|
* Must be set to remote execution mode
|
|
* Cannot be connected to a VCS
|
|
* Cannot have an existing configuration version uploaded by another application
|
|
* Must satisfy workspace [tag requirements](/docs/nia/configuration#tags_allowlist) and [tag restrictions](/docs/nia/configuration#tags_denylist) set by the CTS operator
|
|
|
|
Workspaces created by CTS will be configured with the following settings:
|
|
|
|
| Setting | Value |
|
|
| ------- | ----- |
|
|
| Workspace name | CTS task name |
|
|
| Description | CTS task description |
|
|
| Execution mode | Remote |
|
|
| Apply method | Auto apply |
|
|
| Terraform Version | [`task.terraform_version`](/docs/nia/configuration#terraform_version) or the latest [Terraform version compatible with CTS](/docs/nia/compatibility#terraform) available for the organization. |
|
|
| Tags | `source:cts` and [additional tags](/docs/nia/configuration#tags) set by the CTS operator |
|
|
|
|
Other workspace settings can be pre-configured or updated, such as setting the workspace to [manual apply](#manual-apply) or adding a [run notification](https://www.terraform.io/docs/cloud/workspaces/notifications.html) to send messages to a Slack channel when CTS updates your network infrastructure.
|
|
|
|
### Manual Apply
|
|
|
|
CTS can automate remote workspaces with either auto apply or manual apply configured. Having CTS manage workspaces with manual apply is useful to add an approval stage to CTS automation. Operators can manually inspect and approve or discard runs that CTS had queued based on the task run condition.
|
|
|
|
When CTS detects new changes for a workspace that already has a run pending on approval, CTS will discard the stale run and queue a new run with the latest values. The new run will go through plan and then again wait on an operator to approve it. Only once the run is approved will the infrastructure be updated with the latest Consul changes.
|
|
|
|
There are two approaches to setup manual apply for a workspace managed by CTS based on how the workspace is created.
|
|
* For CTS created workspaces, update the apply method from auto to manual via the Terraform Cloud web application or API.
|
|
* For pre-configured workspaces, create the workspace prior to CTS task automation via the Terraform Cloud web application or API.
|
|
1. Create a workspace with the same name as the desired task.
|
|
1. Set the workspace to [API-driven run workflow](https://www.terraform.io/docs/cloud/run/api.html) and the execution mode to remote.
|
|
1. Ensure that the apply method for the workspace is set to manual apply.
|
|
1. Configure the task for the workspace and run CTS.
|
|
|
|
-> **Tip**: Setup [run notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html#creating-a-notification-configuration) for workspaces with manual apply to not miss automated runs by CTS. Look into setting the [buffer period](/docs/nia/configuration#buffer_period-1) or a [schedule condition](/docs/nia/configuration#schedule-condition) to group changes together and reduce runs requiring approval.
|
|
|
|
## Configuration Version
|
|
|
|
An example configuration version for a task named "cts-example" would have the folder structure below when running with the Terraform Cloud driver and using the default working directory.
|
|
|
|
```shell-session
|
|
$ tree sync-tasks/
|
|
|
|
sync-tasks/
|
|
└── cts-example/
|
|
├── main.tf
|
|
└── variables.tf
|
|
```
|
|
|
|
- `main.tf` - The main file contains the terraform block, provider blocks, and a module block calling the module configured for the task.
|
|
- `terraform` block - The corresponding provider source and versions for the task from the configuration files are placed into this block for the root module.
|
|
- `provider` blocks - The provider blocks generated in the root module resemble the `terraform_provider` blocks from the configuration for CTS. They have identical arguments present and are set from the intermediate variable created per provider.
|
|
- `module` block - The module block is where the task's module is called as a [child module](https://www.terraform.io/docs/configuration/modules.html#calling-a-child-module). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module.
|
|
- `variables.tf` - This file contains three types of variable declarations:
|
|
- `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/docs/nia/terraform-modules) for more details).
|
|
- Any additional [optional input variables](/docs/nia/terraform-modules#optional-input-variables) provided by CTS that the module may use.
|
|
- Various intermediate variables used to configure providers. Intermediate provider variables are interpolated from the provider blocks and arguments configured in the CTS configuration.
|
|
- `variables.module.tf` - This file is created if there are [variables configured for the task](/docs/nia/configuration#variable_files) and contains the interpolated variable declarations that match the variables from configuration. These are then used to proxy the configured variables to the module through explicit assignment in the module block.
|
|
|
|
## Variables
|
|
|
|
CTS uses Terraform input variables to reflect the latest Consul service information. They are used as parameters for your Terraform module. Input variables are dynamic and are updated by the driver throughout the runtime of CTS.
|
|
|
|
You can view the latest service information in the Terraform UI by navigating to that workspace and clicking the "Variables" tab in the workspace navigation.
|
|
|
|
[![CTS Workspace Variables](/img/nia/cts-tfc-workspace-variables.png)](/img/nia/cts-tfc-workspace-variables.png)
|
|
|
|
~> **Caution:** Dynamic variables maintained by CTS are formatted for automation. Unexpected manual changes to these variables may result in automation errors.
|
|
|
|
## Setting Up Terraform Cloud Driver
|
|
|
|
### Deployment
|
|
|
|
Because a CTS instance can only be configured with one driver, an instance can only be associated with either a Terraform driver or a Terraform Cloud driver. If there is a need to run both types of drivers, users will need to deploy a separate CTS instance for each type of driver. Relatedly, if there is a need to run CTS across multiple Terraform Cloud organizations, users will need to deploy a separate instance for each organization.
|
|
|
|
### Required Setup
|
|
|
|
This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://www.hashicorp.com/cloud) solution.
|
|
|
|
1. Hostname of your Terraform Cloud, self-hosted distribution
|
|
1. Name of your organization
|
|
1. [Team API token](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens) used for authentication with Terraform Cloud
|
|
|
|
Prior to running CTS with a Terraform Cloud driver, you will need an account and organization set up, as well as a dedicated token. We recommend using a team token that is restricted to [Manage Workspaces](https://www.terraform.io/docs/cloud/users-teams-organizations/teams.html#managing-workspace-access)-level permissions. Below are the steps for the recommended setup.
|
|
|
|
The first step is to create an account with your Terraform Cloud service. After creating an account, create a new [organization](https://www.terraform.io/docs/cloud/users-teams-organizations/organizations.html#creating-organizations) or select an existing organization. The address of your Terraform Cloud service will be used to configure the [`hostname`](/docs/nia/configuration#hostname), and the organization name will be used to configure the [`organization`](/docs/nia/configuration#organization) on the Terraform Cloud driver.
|
|
|
|
Once you have an account and organization, the next step is to [create a team](https://www.terraform.io/docs/cloud/users-teams-organizations/teams.html). We recommend using a dedicated team and team token to run and authenticate CTS. Using a team token has the benefits of restricting organization permissions as well as associating CTS automated actions with the team rather than an individual.
|
|
|
|
After creating a dedicated team, update the team's permissions with "Manage Workspaces" organization access-level. CTS's main work revolves around creating and managing workspaces. Therefore restricting the dedicated team's permission to Manage Workspaces level is sufficient and reduces security risk.
|
|
|
|
[![CTS Terraform Team Setup](/img/nia/cts-tfc-team-setup.png)](/img/nia/cts-tfc-team-setup.png)
|
|
|
|
After setting the team's permissions, the final setup step is to [generate the associated team token](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens), which can be done on the same team management page. This token will be used by CTS for API authentication and will be used to configure the [`token`](/docs/nia/configuration#token-1) on the Terraform Cloud driver.
|
|
|
|
### Recommendations
|
|
|
|
We recommend configuring workspaces managed by CTS with [run notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html) through the Terraform web application. Run notifications notify external systems about the progress of runs and could help notify users of CTS events, particularly errored runs.
|
|
|
|
[![CTS Terraform Cloud Run Notifications](/img/nia/cts-tfc-run-notifications.png)](/img/nia/cts-tfc-run-notifications.png)
|
|
|
|
In order to configure a run notification, users can [manually create a notification configuration](https://www.terraform.io/docs/cloud/workspaces/notifications.html#creating-a-notification-configuration) for workspaces automated by CTS. A workspace may already exist for a task if the workspace name is identical to the configured task's [`name`](/docs/nia/configuration#name-2). This may occur if CTS has already already run and created the workspace for the task. This may also occur if the workspace is manually created for the task prior to CTS running.
|