An application for performing Terraform operations on targeted git repositories.
Terraform Repo executor takes input from a corresponding Qontract Reconcile integration and uses that input to manage the lifecycle of a repository of raw HCL/Terraform definitions through App Interface.
Configuration
Environment Variables
Required
VAULT_ADDR - http address of Vault instance to retrieve/write secrets to
delete: boolean - if true, the application will execute the Terraform action with the destroy flag set
require_fips: boolean - if true then the executor will validate the generated plan to ensure that AWS is using FIPS endpoints
bucket: string - optional S3 bucket name to store Terraform state in. If not specified then the executor will try to extract this from aws_creds Vault secret
bucket_path: string - optional path of where to store specific Terraform state files in bucket
region: string - optional AWS region of where the bucket is stored
tf_version: string - required, determines which tf binary to run, full enumeration in schemas
aws_creds: AWSCreds - reference to a Vault secret including credentials for accessing the S3 state backend for Terraform. Attributes defined below:
path: string - path to the secret in the vault. For KV v2, do not include the hidden data path segment
version: integer - for KV2 engine, defines which version of secret to read, ignored for KV1 engines as they don't have a concept of secret versioning