Provider Configurations

Provider configurations is our next gen version of credential management for Terraform providers and will eventually replace provider credentials. It is only available in the new UI or the API/provider, the UI can be accessed by going to https://<account>.scalr.io/app2. Here are a couple key points to keep in mind when creating and managing provider configurations:

  • More than one configuration of the same type can be added to an environment.

  • More than one configuration of the same type can be added to a workspace and referenced in the Terraform run by an alias.

  • If the configuration is not set at the workspace level, then a provider configuration must be set as a default for an environment.

  • If a configuration is set as the default for an environment, all workspaces will inherit that configuration as needed.

  • The linking of provider configurations to environments is done in the provider configuration object, setting the default for an environment is done within the environment object.

  • Provider configurations cannot be deleted if they are linked to objects in use.

Overview

When a provider configuration is created, a link must be made to one or more environments.

_images/provider_config1.png

The flow goes as follows:

  • A provider configuration manages the relationship between the configuration and environment(s).

  • An environment can have an optional default configuration for each provider type which will push that configuration to all workspaces.

  • Workspaces can also have a provider configuration defined within the workspace scope, which would take precedence over all other assignments.

For example, this AWS role is being shared with ALL environments:

UI example:

_images/provider_config2.png

Provider example:

resource "scalr_provider_configuration" "aws" {
  name                   = "docs"
  account_id             = "acc-sscctbisjkl1234"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type         = "regular"
    credentials_type     = "role_delegation"
    trusted_entity_type  = "aws_service"
    role_arn             = "arn:aws:iam::670025224396:role/service_agent"
  }
}

When creating an environment, there might be the need for a default credential, in this case this must be defined within the environment:

UI example:

_images/provider_config3.png

Provider example:

resource "scalr_environment" "this" {
  name = "agent_service_trust2"
  account_id = "acc-sscctbisjkl1234"
  default_provider_configurations = [scalr_provider_configuration.aws.id]
}

Credentials can also be assigned within the workspace scope:

resource "scalr_workspace" "this" {
  name        = "this"
  environment = "env-id"

  provider_configuration {
    id    = scalr_provider_configuration.aws.id
    alias = "vp1"
  }
}

If more than one configuration of the same type is assigned to a workspace, specifying an alias will pass the correct configuration during the run.

Configuration Types

Scalr has support for all major Terraform providers while also allowing the usage of other providers through the custom provider option. Please click on the provider type below for more details on usage.

Examples

Workspaces with Multiple Configs

First, define that two provider configurations will be needed by the workspace.

resource "scalr_workspace" "this" {
  name = "this"
  environment = "env-id"

  provider_configuration {
    id = module.first.configuration_id
    alias = "config1"
  }

  provider_configuration {
    id = module.second.configuration_id
    alias = "config2" # should match the provider alias defined in the Terraform configuration
  }
}

Second, in your Terraform code, add the alias:

provider "aws" {
  alias  = "config1"
  region = "us-east-1"
}

provider "aws" {
  alias  = "config2"
  region = "us-east-1"
}

resource "aws_vpc" "example1" {
  provider   = "aws.config1"
  cidr_block = "0.0.0.0/0"
}

resource "aws_vpc" "example2" {
  provider  = "aws.config2"
  cidr_block = "0.0.0.0/0"
}

By defining the alias, the code will know which provider to choose when.

Supported Modules

Please see the following supported modules to help with your provider configuration setup:

Interested in improvements or adding your own module? Feel free to open a PR.