terraform-provider-edge-con.../examples/ENV_VARS.md

# Environment Variables Reference

This document provides a complete reference for all environment variables supported by the Edge Connect Terraform provider.

## Supported Environment Variables

| Variable | Type | Required | Description |
|----------|------|----------|-------------|
| `EDGE_CONNECT_ENDPOINT` | string | Yes | The Edge Connect API endpoint URL |
| `EDGE_CONNECT_TOKEN` | string | Conditional* | API token for authentication |
| `EDGE_CONNECT_USERNAME` | string | Conditional* | Username for authentication |
| `EDGE_CONNECT_PASSWORD` | string | Conditional* | Password for authentication |

\* Either `EDGE_CONNECT_TOKEN` OR both `EDGE_CONNECT_USERNAME` and `EDGE_CONNECT_PASSWORD` must be provided.

## Quick Start

### Token Authentication

```bash
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-api-token-here"

terraform init
terraform plan
terraform apply
```

### Username/Password Authentication

```bash
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_USERNAME="your-username"
export EDGE_CONNECT_PASSWORD="your-password"

terraform init
terraform plan
terraform apply
```

## Configuration Precedence

The provider reads configuration in the following order (highest to lowest precedence):

1. **Explicit Configuration** - Values set directly in the provider block
2. **Environment Variables** - Values from environment variables
3. **Default Values** - Provider defaults (if any)

### Example: Precedence in Action

```hcl
provider "edge-connect" {
  endpoint = "https://api.example.com"  # This value is used
  # token will be read from EDGE_CONNECT_TOKEN environment variable
}
```

If `EDGE_CONNECT_TOKEN` is set in the environment, it will be used for the token even though it's not specified in the configuration.

## Usage Patterns

### 1. Pure Environment Variable Configuration

No explicit configuration needed in Terraform files:

```hcl
provider "edge-connect" {}
```

All configuration comes from environment variables.

### 2. Mixed Configuration

Some values explicit, others from environment:

```hcl
provider "edge-connect" {
  endpoint = "https://api.edge-connect.example.com"
  # token, username, and password from environment variables
}
```

### 3. Override Environment Variables

Explicit configuration overrides environment variables:

```hcl
provider "edge-connect" {
  endpoint = "https://api.edge-connect.example.com"
  token    = var.edge_connect_token  # Overrides EDGE_CONNECT_TOKEN
}
```

## Shell Integration

### Bash/Zsh Profile

Add to `~/.bashrc` or `~/.zshrc`:

```bash
# Edge Connect API Configuration
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-token"
```

### direnv (Recommended)

Create a `.envrc` file in your project directory:

```bash
# .envrc
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-token"
```

Enable direnv:
```bash
direnv allow
```

Now environment variables are automatically loaded when you enter the directory.

### CI/CD Systems

#### GitHub Actions

```yaml
- name: Terraform Apply
  env:
    EDGE_CONNECT_ENDPOINT: ${{ secrets.EDGE_CONNECT_ENDPOINT }}
    EDGE_CONNECT_TOKEN: ${{ secrets.EDGE_CONNECT_TOKEN }}
  run: |
    terraform init
    terraform apply -auto-approve
```

#### GitLab CI

```yaml
terraform:
  script:
    - terraform init
    - terraform apply -auto-approve
  variables:
    EDGE_CONNECT_ENDPOINT: $EDGE_CONNECT_ENDPOINT
    EDGE_CONNECT_TOKEN: $EDGE_CONNECT_TOKEN
```

#### Jenkins

```groovy
withEnv([
  "EDGE_CONNECT_ENDPOINT=https://api.edge-connect.example.com",
  "EDGE_CONNECT_TOKEN=${env.EDGE_CONNECT_TOKEN}"
]) {
  sh 'terraform init'
  sh 'terraform apply -auto-approve'
}
```

## Secret Management Integration

### AWS Secrets Manager

```bash
export EDGE_CONNECT_TOKEN=$(aws secretsmanager get-secret-value \
  --secret-id edge-connect/token \
  --query SecretString \
  --output text)
```

### HashiCorp Vault

```bash
export EDGE_CONNECT_TOKEN=$(vault kv get -field=token secret/edge-connect)
```

### Azure Key Vault

```bash
export EDGE_CONNECT_TOKEN=$(az keyvault secret show \
  --name edge-connect-token \
  --vault-name my-vault \
  --query value -o tsv)
```

### Google Secret Manager

```bash
export EDGE_CONNECT_TOKEN=$(gcloud secrets versions access latest \
  --secret="edge-connect-token")
```

## Security Best Practices

1. **Never commit credentials to version control**
   - Use `.gitignore` for files containing secrets
   - Use environment variables or secret management systems

2. **Use appropriate permissions**
   - Restrict access to environment files
   - Use IAM roles and policies in cloud environments

3. **Rotate credentials regularly**
   - Update environment variables when rotating tokens
   - Use automated rotation with secret management systems

4. **Use token authentication in production**
   - More secure than username/password
   - Easier to rotate and scope

5. **Audit credential usage**
   - Log when credentials are accessed
   - Monitor for unauthorized usage

## Troubleshooting

### Check if environment variables are set:

```bash
env | grep EDGE_CONNECT
```

### Verify values (mask sensitive data):

```bash
echo "Endpoint: $EDGE_CONNECT_ENDPOINT"
echo "Token: ${EDGE_CONNECT_TOKEN:0:5}..." # Show only first 5 chars
```

### Clear environment variables:

```bash
unset EDGE_CONNECT_ENDPOINT
unset EDGE_CONNECT_TOKEN
unset EDGE_CONNECT_USERNAME
unset EDGE_CONNECT_PASSWORD
```

### Common Issues

**Problem:** Provider can't find credentials

**Solution:** Verify environment variables are set in the current shell:
```bash
env | grep EDGE_CONNECT
```

**Problem:** Wrong credentials being used

**Solution:** Check for explicit configuration overriding environment variables, or verify the correct environment variables are set.

## Examples

See the [authentication/](authentication/) directory for complete examples:

- `env-vars.tf` - Pure environment variable configuration
- `env-vars-token.sh` - Shell script for token authentication
- `env-vars-userpass.sh` - Shell script for username/password authentication

## Additional Resources

- [Authentication Examples](authentication/README.md) - Detailed authentication documentation
- [Provider Configuration](README.md) - Main examples README
added username/password or token as env variable 2025-11-11 15:41:07 +01:00			`# Environment Variables Reference`

			`This document provides a complete reference for all environment variables supported by the Edge Connect Terraform provider.`

			`## Supported Environment Variables`

			`\| Variable \| Type \| Required \| Description \|`
			`\|----------\|------\|----------\|-------------\|`
			\| `EDGE_CONNECT_ENDPOINT` \| string \| Yes \| The Edge Connect API endpoint URL \|
			\| `EDGE_CONNECT_TOKEN` \| string \| Conditional* \| API token for authentication \|
			\| `EDGE_CONNECT_USERNAME` \| string \| Conditional* \| Username for authentication \|
			\| `EDGE_CONNECT_PASSWORD` \| string \| Conditional* \| Password for authentication \|

			\* Either `EDGE_CONNECT_TOKEN` OR both `EDGE_CONNECT_USERNAME` and `EDGE_CONNECT_PASSWORD` must be provided.

			`## Quick Start`

			`### Token Authentication`

			```bash
			`export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"`
			`export EDGE_CONNECT_TOKEN="your-api-token-here"`

			`terraform init`
			`terraform plan`
			`terraform apply`
			```

			`### Username/Password Authentication`

			```bash
			`export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"`
			`export EDGE_CONNECT_USERNAME="your-username"`
			`export EDGE_CONNECT_PASSWORD="your-password"`

			`terraform init`
			`terraform plan`
			`terraform apply`
			```

			`## Configuration Precedence`

			`The provider reads configuration in the following order (highest to lowest precedence):`

			`1. Explicit Configuration - Values set directly in the provider block`
			`2. Environment Variables - Values from environment variables`
			`3. Default Values - Provider defaults (if any)`

			`### Example: Precedence in Action`

			```hcl
			`provider "edge-connect" {`
			`endpoint = "https://api.example.com" # This value is used`
			`# token will be read from EDGE_CONNECT_TOKEN environment variable`
			`}`
			```

			If `EDGE_CONNECT_TOKEN` is set in the environment, it will be used for the token even though it's not specified in the configuration.

			`## Usage Patterns`

			`### 1. Pure Environment Variable Configuration`

			`No explicit configuration needed in Terraform files:`

			```hcl
			`provider "edge-connect" {}`
			```

			`All configuration comes from environment variables.`

			`### 2. Mixed Configuration`

			`Some values explicit, others from environment:`

			```hcl
			`provider "edge-connect" {`
			`endpoint = "https://api.edge-connect.example.com"`
			`# token, username, and password from environment variables`
			`}`
			```

			`### 3. Override Environment Variables`

			`Explicit configuration overrides environment variables:`

			```hcl
			`provider "edge-connect" {`
			`endpoint = "https://api.edge-connect.example.com"`
			`token = var.edge_connect_token # Overrides EDGE_CONNECT_TOKEN`
			`}`
			```

			`## Shell Integration`

			`### Bash/Zsh Profile`

			Add to `~/.bashrc` or `~/.zshrc`:

			```bash
			`# Edge Connect API Configuration`
			`export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"`
			`export EDGE_CONNECT_TOKEN="your-token"`
			```

			`### direnv (Recommended)`

			Create a `.envrc` file in your project directory:

			```bash
			`# .envrc`
			`export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"`
			`export EDGE_CONNECT_TOKEN="your-token"`
			```

			`Enable direnv:`
			```bash
			`direnv allow`
			```

			`Now environment variables are automatically loaded when you enter the directory.`

			`### CI/CD Systems`

			`#### GitHub Actions`

			```yaml
			`- name: Terraform Apply`
			`env:`
			`EDGE_CONNECT_ENDPOINT: ${{ secrets.EDGE_CONNECT_ENDPOINT }}`
			`EDGE_CONNECT_TOKEN: ${{ secrets.EDGE_CONNECT_TOKEN }}`
			`run: \|`
			`terraform init`
			`terraform apply -auto-approve`
			```

			`#### GitLab CI`

			```yaml
			`terraform:`
			`script:`
			`- terraform init`
			`- terraform apply -auto-approve`
			`variables:`
			`EDGE_CONNECT_ENDPOINT: $EDGE_CONNECT_ENDPOINT`
			`EDGE_CONNECT_TOKEN: $EDGE_CONNECT_TOKEN`
			```

			`#### Jenkins`

			```groovy
			`withEnv([`
			`"EDGE_CONNECT_ENDPOINT=https://api.edge-connect.example.com",`
			`"EDGE_CONNECT_TOKEN=${env.EDGE_CONNECT_TOKEN}"`
			`]) {`
			`sh 'terraform init'`
			`sh 'terraform apply -auto-approve'`
			`}`
			```

			`## Secret Management Integration`

			`### AWS Secrets Manager`

			```bash
			`export EDGE_CONNECT_TOKEN=$(aws secretsmanager get-secret-value \`
			`--secret-id edge-connect/token \`
			`--query SecretString \`
			`--output text)`
			```

			`### HashiCorp Vault`

			```bash
			`export EDGE_CONNECT_TOKEN=$(vault kv get -field=token secret/edge-connect)`
			```

			`### Azure Key Vault`

			```bash
			`export EDGE_CONNECT_TOKEN=$(az keyvault secret show \`
			`--name edge-connect-token \`
			`--vault-name my-vault \`
			`--query value -o tsv)`
			```

			`### Google Secret Manager`

			```bash
			`export EDGE_CONNECT_TOKEN=$(gcloud secrets versions access latest \`
			`--secret="edge-connect-token")`
			```

			`## Security Best Practices`

			`1. Never commit credentials to version control`
			- Use `.gitignore` for files containing secrets
			`- Use environment variables or secret management systems`

			`2. Use appropriate permissions`
			`- Restrict access to environment files`
			`- Use IAM roles and policies in cloud environments`

			`3. Rotate credentials regularly`
			`- Update environment variables when rotating tokens`
			`- Use automated rotation with secret management systems`

			`4. Use token authentication in production`
			`- More secure than username/password`
			`- Easier to rotate and scope`

			`5. Audit credential usage`
			`- Log when credentials are accessed`
			`- Monitor for unauthorized usage`

			`## Troubleshooting`

			`### Check if environment variables are set:`

			```bash
			`env \| grep EDGE_CONNECT`
			```

			`### Verify values (mask sensitive data):`

			```bash
			`echo "Endpoint: $EDGE_CONNECT_ENDPOINT"`
			`echo "Token: ${EDGE_CONNECT_TOKEN:0:5}..." # Show only first 5 chars`
			```

			`### Clear environment variables:`

			```bash
			`unset EDGE_CONNECT_ENDPOINT`
			`unset EDGE_CONNECT_TOKEN`
			`unset EDGE_CONNECT_USERNAME`
			`unset EDGE_CONNECT_PASSWORD`
			```

			`### Common Issues`

			`Problem: Provider can't find credentials`

			`Solution: Verify environment variables are set in the current shell:`
			```bash
			`env \| grep EDGE_CONNECT`
			```

			`Problem: Wrong credentials being used`

			`Solution: Check for explicit configuration overriding environment variables, or verify the correct environment variables are set.`

			`## Examples`

			`See the [authentication/](authentication/) directory for complete examples:`

			- `env-vars.tf` - Pure environment variable configuration
			- `env-vars-token.sh` - Shell script for token authentication
			- `env-vars-userpass.sh` - Shell script for username/password authentication

			`## Additional Resources`

			`- [Authentication Examples](authentication/README.md) - Detailed authentication documentation`
			`- [Provider Configuration](README.md) - Main examples README`