DevFW-CICD/terraform-provider-edge-connect
15
0
Fork 0
Code Issues Pull requests Projects Releases 13 Packages Wiki Activity Actions
terraform-provider-edge-con.../examples/ENV_VARS.md

6.2 KiB
Raw Blame History

Environment Variables Reference

This document provides a complete reference for all environment variables supported by the Edge Connect Terraform provider.

Supported Environment Variables

Variable Type Required Description
EDGE_CONNECT_ENDPOINT string Yes The Edge Connect API endpoint URL
EDGE_CONNECT_TOKEN string Conditional* API token for authentication
EDGE_CONNECT_USERNAME string Conditional* Username for authentication
EDGE_CONNECT_PASSWORD string Conditional* Password for authentication

* Either EDGE_CONNECT_TOKEN OR both EDGE_CONNECT_USERNAME and EDGE_CONNECT_PASSWORD must be provided.

Quick Start

Token Authentication

export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-api-token-here"

terraform init
terraform plan
terraform apply

Username/Password Authentication

export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_USERNAME="your-username"
export EDGE_CONNECT_PASSWORD="your-password"

terraform init
terraform plan
terraform apply

Configuration Precedence

The provider reads configuration in the following order (highest to lowest precedence):

  1. Explicit Configuration - Values set directly in the provider block
  2. Environment Variables - Values from environment variables
  3. Default Values - Provider defaults (if any)

Example: Precedence in Action

provider "edge-connect" {
  endpoint = "https://api.example.com"  # This value is used
  # token will be read from EDGE_CONNECT_TOKEN environment variable
}

If EDGE_CONNECT_TOKEN is set in the environment, it will be used for the token even though it's not specified in the configuration.

Usage Patterns

1. Pure Environment Variable Configuration

No explicit configuration needed in Terraform files:

provider "edge-connect" {}

All configuration comes from environment variables.

2. Mixed Configuration

Some values explicit, others from environment:

provider "edge-connect" {
  endpoint = "https://api.edge-connect.example.com"
  # token, username, and password from environment variables
}

3. Override Environment Variables

Explicit configuration overrides environment variables:

provider "edge-connect" {
  endpoint = "https://api.edge-connect.example.com"
  token    = var.edge_connect_token  # Overrides EDGE_CONNECT_TOKEN
}

Shell Integration

Bash/Zsh Profile

Add to ~/.bashrc or ~/.zshrc:

# Edge Connect API Configuration
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-token"

direnv (Recommended)

Create a .envrc file in your project directory:

# .envrc
export EDGE_CONNECT_ENDPOINT="https://api.edge-connect.example.com"
export EDGE_CONNECT_TOKEN="your-token"

Enable direnv:

direnv allow

Now environment variables are automatically loaded when you enter the directory.

CI/CD Systems

GitHub Actions

- name: Terraform Apply
  env:
    EDGE_CONNECT_ENDPOINT: ${{ secrets.EDGE_CONNECT_ENDPOINT }}
    EDGE_CONNECT_TOKEN: ${{ secrets.EDGE_CONNECT_TOKEN }}
  run: |
    terraform init
    terraform apply -auto-approve

GitLab CI

terraform:
  script:
    - terraform init
    - terraform apply -auto-approve
  variables:
    EDGE_CONNECT_ENDPOINT: $EDGE_CONNECT_ENDPOINT
    EDGE_CONNECT_TOKEN: $EDGE_CONNECT_TOKEN

Jenkins

withEnv([
  "EDGE_CONNECT_ENDPOINT=https://api.edge-connect.example.com",
  "EDGE_CONNECT_TOKEN=${env.EDGE_CONNECT_TOKEN}"
]) {
  sh 'terraform init'
  sh 'terraform apply -auto-approve'
}

Secret Management Integration

AWS Secrets Manager

export EDGE_CONNECT_TOKEN=$(aws secretsmanager get-secret-value \
  --secret-id edge-connect/token \
  --query SecretString \
  --output text)

HashiCorp Vault

export EDGE_CONNECT_TOKEN=$(vault kv get -field=token secret/edge-connect)

Azure Key Vault

export EDGE_CONNECT_TOKEN=$(az keyvault secret show \
  --name edge-connect-token \
  --vault-name my-vault \
  --query value -o tsv)

Google Secret Manager

export EDGE_CONNECT_TOKEN=$(gcloud secrets versions access latest \
  --secret="edge-connect-token")

Security Best Practices

  1. Never commit credentials to version control

    • Use .gitignore for files containing secrets
    • Use environment variables or secret management systems

  2. Use appropriate permissions

    • Restrict access to environment files
    • Use IAM roles and policies in cloud environments

  3. Rotate credentials regularly

    • Update environment variables when rotating tokens
    • Use automated rotation with secret management systems

  4. Use token authentication in production

    • More secure than username/password
    • Easier to rotate and scope

  5. Audit credential usage

    • Log when credentials are accessed
    • Monitor for unauthorized usage

Troubleshooting

Check if environment variables are set:

env | grep EDGE_CONNECT

Verify values (mask sensitive data):

echo "Endpoint: $EDGE_CONNECT_ENDPOINT"
echo "Token: ${EDGE_CONNECT_TOKEN:0:5}..." # Show only first 5 chars

Clear environment variables:

unset EDGE_CONNECT_ENDPOINT
unset EDGE_CONNECT_TOKEN
unset EDGE_CONNECT_USERNAME
unset EDGE_CONNECT_PASSWORD

Common Issues

Problem: Provider can't find credentials

Solution: Verify environment variables are set in the current shell:

env | grep EDGE_CONNECT

Problem: Wrong credentials being used

Solution: Check for explicit configuration overriding environment variables, or verify the correct environment variables are set.

Examples

See the authentication/ directory for complete examples:

  • env-vars.tf - Pure environment variable configuration
  • env-vars-token.sh - Shell script for token authentication
  • env-vars-userpass.sh - Shell script for username/password authentication

Additional Resources