Provider Configurations

Provider configurations is our next gen version of credential management for Terraform providers and will eventually replace provider credentials. Provider configurations are currently supported in the Scalr API and Terraform provider, UI support will be released soon. Provider configurations gives you much more flexibility in how credentials are assigned:

  • Added support for the Scalr provider.

  • Ability to manage custom providers.

  • More than one configuration of the same type can be added to an environment.

  • More than one configuration of the same type can be added to a workspace and referenced in the Terraform run by an alias.

  • Improved AWS credential management, see more below.

Overview

When a provider configuration is created, a link must be made to one or more environments. The flow goes as follows:

A provider configuration manages the relationship between the configuration and environment(s). An environment can have an optional default configuration for each provider type which will push that configuration to all workspaces. Workspaces can also have a provider configuration defined within the workspace scope, which would take precedence over all other assignments.

For example, this AWS role is being shared with ALL environments:

resource "scalr_provider_configuration" "aws" {
  name                   = "aws_service_test"
  account_id             = "acc-sscctbisjkl1234"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type         = "regular"
    credentials_type     = "role_delegation"
    trusted_entity_type  = "aws_service"
    role_arn             = "arn:aws:iam::670025224396:role/service_agent"
  }
}

When creating an environment, there might be the need for a default credential, in this case this must be defined within the environment:

resource "scalr_environment" "this" {
  name = "agent_service_trust2"
  account_id = "acc-sscctbisjkl1234"
  default_provider_configurations = [scalr_provider_configuration.aws.id]
}

Credentials can also be assigned within the workspace scope:

resource "scalr_workspace" "this" {
  name        = "this"
  environment = "env-id"

  provider_configuration {
    id    = scalr_provider_configuration.aws.id
    alias = "vp1"
  }
}

If more than one configuration of the same type is assigned to a workspace, specifying an alias will pass the correct configuration during the run.

Configuration Types

Scalr has support for all major Terraform providers while also allowing the usage of other providers through the custom provider option. Please click on the provider type below for more details on usage.

Supported Modules

Please see the following supported modules to help with your provider configuration setup:

Interested in improvements or adding your own module? Feel free to open a PR.

Examples

Workspaces with Multiple Configs

First, define that two provider configurations will be needed by the workspace.

resource "scalr_workspace" "this" {
  name = "this"
  environment = "env-id"

  provider_configuration {
    id = module.first.configuration_id
    alias = "config1"
  }

  provider_configuration {
    id = module.second.configuration_id
    alias = "config2" # should match the provider alias defined in the Terraform configuration
  }
}

Second, in your Terraform code, add the alias:

provider "aws" {
  alias  = "config1"
  region = "us-east-1"
}

provider "aws" {
  alias  = "config2"
  region = "us-east-1"
}

resource "aws_vpc" "example1" {
  provider   = "aws.config1"
  cidr_block = "0.0.0.0/0"
}

resource "aws_vpc" "example2" {
  provider  = "aws.config2"
  cidr_block = "0.0.0.0/0"
}

By defining the alias, the code will know which provider to choose when.