HashiCorp has released Terraform 1.4 with a number of improvements for working within Terraform Cloud environments. These improvements include CLI support for structured run outputs and OPA policy results. Additional improvements include a native replacement for the Null utility provider.
A new terraform_data resource has been added as a built-in replacement for the null resource. Both resources don't do anything on their own but can be used in cases where resource replacement isn't applicable. terraform_data implements the standard resource lifecycle and can be used without requiring or configuring a provider.
The two main use cases for terraform_data are storing values that require a managed resource lifecycle and triggering provisioners that do not have a logical managed resource available. For example, replace_triggered_by replaces the resource when any of the referenced items change. It can only be used with resource addresses as the replacement decision is based on the planned actions for all of the given resources. This example will replace the aws_appautoscaling_target whenever the instance of aws_ecs_service is replaced:
resource "aws_appautoscaling_target" "ecs_target" {
lifecycle {
replace_triggered_by = [
aws_ecs_service.svc.id
]
}
}
In cases where there is no convenient attribute to force replacement, terraform_data can be used. This works with local values or input variables that do not have planned actions of their own. In the following example, the resource example_database will be replaced whenever there is a change to the revision variable value:
variable "revision" {
default = 1
}
resource "terraform_data" "replacement" {
input = var.revision
}
resource "example_database" "test" {
lifecycle {
replace_triggered_by = [terraform_data.replacement]
}
}
This example uses terraform_data to create a container to allow for provisioner actions to trigger a replacement:
resource "aws_instance" "web" {
# ...
}
resource "aws_instance" "database" {
# ...
}
resource "terraform_data" "bootstrap" {
triggers_replace = [
aws_instance.web.id,
aws_instance.database.id
]
provisioner "local-exec" {
command = "bootstrap-hosts.sh"
}
}
This release extends the structured run outputs available within Terraform Cloud to also include results from CLI runs. Terraform Cloud is HashiCorp's Terraform-as-a-service environment. This view provides a more user-friendly representation of the run results. In previous releases only runs initiated from the UI, version control integrations, or the API were supported.
Terraform Cloud previously added support for Open Policy Agent (OPA). OPA is an open-source policy engine that makes use of a high-level declarative language known as Rego. OPA support works alongside Sentinel to provide enforcement via policy-as-code. Sentinel is HashiCorp's policy-as-code language.
Terraform 1.4 adds support for OPA results in CLI-driven runs within Terraform Cloud. These runs now have parity between OPA policies and Sentinel policies. Additionally, there is support for manual overrides within the CLI if a policy fails and has allowed overrides.
Other improvements in this release include terraform plan storing a plan file even if errors are encountered. This can then be inspected to troubleshoot the error. To simplify automatically creating workspaces, a new -or-create flag was added to the terraform workspace select command.
More details about the 1.4 release can be found within the documentation or in the changelog. Terraform 1.4 is available for download from the HashiCorp site as well as for use within Terraform Cloud.
