This is a work in progress, meaning the syntax may change in the future, and the implementation is being hardened. The design proposal document provides more background on the intended use-cases, and the next potential resources to be added. Feedback and contributions are welcomed.
This terraformp provider supports the use-case of managing a Cloud Foundry instance, with current support for:
- Organizations
- Spaces
- Quotas (Space and Organization ones)
- Security groups (On space, staging or running)
- Buildpacks
- Feature flags
- Services
- Domains
- Routes
- Isolation Segments
- Stacks
- Environment Variable Group
- Service brokers (Support gpg encryption on password)
Requirements: You need, of course, terraform (>=0.8) which is available here: https://www.terraform.io/downloads.html
To install a specific version, set PROVIDER_CLOUDFOUNDRY_VERSION before executing the following command
$ export PROVIDER_CLOUDFOUNDRY_VERSION="v0.7.3"
$ sh -c "$(curl -fsSL https://raw.github.com/orange-cloudfoundry/terraform-provider-cloudfoundry/master/bin/install.sh)"
$ sh -c "$(wget https://raw.github.com/orange-cloudfoundry/terraform-provider-cloudfoundry/master/bin/install.sh -O -)"
- Get the build for your system in releases: https://github.com/orange-cloudfoundry/terraform-provider-cloudfoundry/releases/latest
- Create a
providers
directory inside terraform user folder:mkdir -p ~/.terraform.d/providers
- Move the provider previously downloaded in this folder:
mv /path/to/download/directory/terraform-provider-cloudfoundry ~/.terraform.d/providers
- Ensure provider is executable:
chmod +x ~/.terraform.d/providers/terraform-provider-cloudfoundry
- add
providers
path to your.terraformrc
:
cat <<EOF > ~/.terraformrc
providers {
cloudfoundry = "/full/path/to/.terraform.d/providers/terraform-provider-cloudfoundry"
}
EOF
- you can now performs any terraform action on Cloud Foundry resources
provider "cloudfoundry" {
api_endpoint = "https://api.of.your.cloudfoundry.com"
username = "user"
password = "mypassword"
skip_ssl_validation = true
enc_private_key = "${file("secring_b64.gpg")}"
enc_passphrase = "mypassphrase"
verbose = false
user_access_token = "bearer key"
user_refresh_token = "bearer key"
}
- name: (Required, Env Var:
CF_API
) Your Cloud Foundry api url. - username: (Optional, default:
null
, Env Var:CF_USERNAME
) The username of an admin user. (Optional if you use an access token) - password: (Optional, default:
null
, Env Var:CF_PASSWORD
) The password of an admin user. (Optional if you use an access token) - skip_ssl_validation: (Optional, default:
false
) Set to true to skip verification of the API endpoint. Not recommended!. - enc_private_key: (Optional, default:
null
, Env Var:CF_ENC_PRIVATE_KEY
) A GPG private key(s) generate fromgpg --export-secret-key -a <real name>
. Need a passphrase withenc_passphrase
.. - enc_passphrase: (Optional, default:
null
, Env Var:CF_ENC_PASSPHRASE
) The passphrase for your gpg key. - verbose: (Optional, default:
null
) Set to true to see requests sent to Cloud Foundry. (UseTF_LOG=1
to see them) - user_access_token: (Optional, default:
null
, Env Var:CF_TOKEN
) The OAuth token used to connect to a Cloud Foundry. (Optional if you use 'username' and 'password') - user_refresh_token: (Optional, default:
null
) The OAuth refresh token used to refresh your token.
resource "cloudfoundry_organization" "org_mysuperorg" {
name = "mysuperorg"
is_system_domain = true
quota_id = "${cloudfoundry_quota.quota_mysuperquota.id}"
}
- name: (Required) Name of your organization.
- is_system_domain: (Optional, default:
false
) set it to true only if this organization is a system_domain organization, it will prevent deletion on Cloud Foundry. - quota_id: (Optional, default:
null
) Give a quota id (created from resource cloudfoundry_quota) to set a quota on this org.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_organization" "org_mysuperorg" {
name = "mysuperorg"
}
- name: (Required) Name of your organization.
resource "cloudfoundry_space" "space_mysuperspace" {
name = "mysuperspace"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
quota_id = "${cloudfoundry_quota.quota_mysuperquota.id}"
sec_groups = ["${cloudfoundry_sec_group.sec_group_mysupersecgroup.id}"]
allow_ssh = true
}
- name: (Required) Name of your space.
- org_id: (Required) Organization id created from resource or data source cloudfoundry_organization.
- allow_ssh: (Optional, default:
true
) Set tofalse
to remove ssh access on app instances inside this space. - sec_groups: (Optional, default:
null
) This is a list of security groups id created from cloudfoundry_sec_group, it will bind each security group on this space. - quota_id: (Optional, default:
null
) Give a quota id (created from resource cloudfoundry_quota) to set a quota on this space.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_space" "space_mysuperspace" {
name = "mysuperspace"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
}
- name: (Required) Name of your space.
- org_id: (Required) Organization id created from resource or data source cloudfoundry_organization.
Note: There is two kinds of quotas inside Cloud Foundry: a space's quota, an organization's quota. This resource is able to find what kind of quota you defined. If you omit org_id
the resource will consider this
quota as an organization's quota. With it will consider it's a space's quota.
resource "cloudfoundry_quota" "quota_for_ahalet" {
name = "quotaAhalet"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
total_memory = "10G"
instance_memory = "1G"
routes = 200
service_instances = 10
app_instances = -1
allow_paid_service_plans = true
reserved_route_ports = 0
}
- name: (Required) Name of your quota.
- org_id: (Optional, default:
null
) If set to an organization id created from resource or data source cloudfoundry_organization, it will be considered as organization quota, else it will be a space quota. - total_memory: (Optional, default:
20G
) Total amount of memory a space can have (e.g. 1024M, 1G, 10G). - total_instance_memory: (Optional, default:
-1
) Maximum amount of memory an application instance can have (e.g. 1024M, 1G, 10G). -1 represents an unlimited amount. - routes: (Optional, default:
2000
) Total number of routes that a space can have. - service_instances: (Optional, default:
200
) Total number of service instances which can be created that a space can have. - app_instances: (Optional, default:
-1
) Total number of application instances that a space can have. -1 represents an unlimited amount. - app_allow_paid_service_plans: (Optional, default:
true
) Can provision instances of paid service plans. - reserved_route_ports: (Optional, default:
0
) Maximum number of routes that may be created with reserved ports in a space.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_quota" "quota_for_ahalet" {
name = "quotaAhalet"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
}
- name: (Required) Name of your quota.
- org_id: (Optional, default:
null
) If set to an organization id created from resource or data source cloudfoundry_organization, it will be considered as organization quota, else it will be a space quota.
resource "cloudfoundry_sec_group" "sec_group_mysupersecgroup" {
name = "mysupersecgroup"
on_staging = false
on_running = false
rules {
protocol = "tcp"
destination = "10.0.0.2"
ports = "65000"
log = false
description = "my description"
}
rules {
protocol = "icmp"
destination = "192.0.2.0-192.0.1-4"
type = 3
code = 1
}
rules {
protocol = "all"
destination = "10.0.0.0/24"
log = true
}
}
- name: (Required) Name of your security group.
- on_staging: (Optional, default:
false
) Set to true to apply this security group during staging an app. - on_running: (Optional, default:
false
) Set to true to apply this security group during running an app. - rules: (Optional, default:
null
) Add rules as many as you need:- protocol: (Required) The protocol to use, it can be
tcp
,udp
,icmp
, orall
- destination: (Optional, default:
null
) A single IP address, an IP address range (e.g. 192.0.2.0-192.0.1-4), or a CIDR block to allow network access to. - ports: (Optional, default:
null
) A single port, multiple comma-separated ports, or a single range of ports that can receive traffic, e.g."443"
,"80,8080,8081"
,"8080-8081"
. Required whenprotocol
istcp
orudp
. - code: (Optional, default:
null
) ICMP code. Required whenprotocol
isicmp
. - type: (Optional, default:
null
) ICMP type. Required whenprotocol
isicmp
. - log: (Optional, default:
false
) Set totrue
to enable logging. For more information about how to configure system logs to be sent to a syslog drain, see Using Log Management Services topic. - description: (Optional, default:
null
) This is an optional field that contains useful text for operators to manage security group rules. This field is available in Cloud Foundry v238 and later.
- protocol: (Required) The protocol to use, it can be
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_sec_group" "sec_group_mysupersecgroup" {
name = "mysupersecgroup"
}
- name: (Required) Name of your security group.
resource "cloudfoundry_buildpack" "buildpack_mysuperbuildpack" {
name = "mysuperbuildpack"
path = "https://github.com/cloudfoundry/staticfile-buildpack/releases/download/v1.3.13/staticfile_buildpack-cached-v1.3.13.zip"
position = 13
locked = false
enabled = false
}
- name: (Required) Name of your buildpack. Note: if there is only name inside your buildpack the provider will consider your buildpack as a system managed buildpack (e.g.:
php_buildpack
,java_buildpack
), so if you remove it from your tf file it will not be removed from your Cloud Foundry. - path: (Optional, default:
null
) Path should be a zip file, a url to a zip file, or a local directory which contains your buildpack code. - position: (Optional, default:
null
) Position is a positive integer, sets priority, and is sorted from lowest to highest. - enabled: (Optional, default:
true
) Set tofalse
to disable the buildpack to be used for staging. - locked: (Optional, default:
false
) Set totrue
to lock the buildpack to prevent updates.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
resource "cloudfoundry_buildpack" "buildpack_mysuperbuildpack" {
name = "mysuperbuildpack"
}
- name: (Required) Name of your buildpack.
resource "cloudfoundry_feature_flags" "feature_flags" {
diego_docker = true
custom_flag {
name = "my_flag"
enabled = true
}
}
List of default feature flags:
- user_org_creation: (Optional, default:
false
) - private_domain_creation: (Optional, default:
true
) - app_bits_upload: (Optional, default:
true
) - app_scaling: (Optional, default:
true
) - route_creation: (Optional, default:
true
) - service_instance_creation: (Optional, default:
true
) - diego_docker: (Optional, default:
false
) - set_roles_by_username: (Optional, default:
true
) - unset_roles_by_username: (Optional, default:
true
) - task_creation: (Optional, default:
false
) - env_var_visibility: (Optional, default:
true
) - space_scoped_private_broker_creation: (Optional, default:
true
) - space_developer_env_var_visibility: (Optional, default:
true
)
Custom flags made for feature flags not in the default resource:
- custom_flag: (Optional, default:
null
) Add cutom feature flags as many as you need:- name: (Required) Name of the feature
- enabled: (Required) Set to
true
to enable the feature in your cloud foundry.
Feature flags cannot be used as data source
Service from marketplace:
resource "cloudfoundry_service" "svc_db" {
name = "my-db"
space_id = "${cloudfoundry_space.space_mysuperspace.id}"
service = "p-mysql"
plan = "100mb"
params = "{ \"my-param\": 1}"
update_params = "{ \"my-param\": 1}"
tags = [ "tag1", "tag2" ]
}
An user provided service:
resource "cloudfoundry_service" "svc_ups" {
name = "my-ups"
space_id = "${cloudfoundry_space.space_mysuperspace.id}"
user_provided = true
params = "{ \"my-credential\": 1}"
route_service_url = "http://my.route.com"
syslog_drain_url = "http://my.syslog.com"
tags = [ "tag1", "tag2" ]
}
- name: (Required) Name of your service.
- space_id: (Required) Space id created from resource or data source cloudfoundry_space to register service inside.
- user_provided: (Optional, default:
false
) Set totrue
to create an user provided service. Note:service
andplan
params will not be used. - params: (Optional, default:
null
) Must be json, if it's an user provided service it will be credential for your service instead it will be params sent to service broker when creating service. - update_params: (Optional, default:
null
) Must be json, Params sent to service broker when updating service. - tags: (Optional, default:
null
) list of tags for your service. - service: (Required when not user provided service) name of service from marketplace.
- plan: (Required when not user provided service) name of the plan to use.
- route_service_url: (Optional, default:
null
) Only works for user provided, an url to create a route service - syslog_drain_url: (Optional, default:
null
) Only works for user provided, an url to drain logs as a service on an app.
Note: every parameters from resource which are not used here are marked as computed and will be filled, except:
params
update_params
data "cloudfoundry_service" "svc_ups" {
name = "my-ups"
space_id = "${cloudfoundry_space.space_mysuperspace.id}"
}
- name: (Required) Name of your service.
- space_id: (Required) Space id created from resource or data source cloudfoundry_space to register service inside.
resource "cloudfoundry_domain" "domain_mydomain" {
name = "my.domain.com"
org_owner_id = "${cloudfoundry_organization.org_mysuperorg.id}"
router_group = "default-router"
orgs_shared_id = ["${cloudfoundry_organization.org_mysecondorg.id}"]
shared = false
}
- name: (Required) Your domain name.
- org_owner_id: (Required if not shared) Organization id created from resource or data source which owned the domain cloudfoundry_organization.
- orgs_shared_id: (Optional, default:
null
) Set of organization id which can have access to domain. Note: Only can used when not a shared domain - router_group: (Optional, default:
null
) Routes for this domain will be configured only on the specified router group. Note: Only when when it's a shared domain - shared: (Optional, default:
false
) IfTrue
this domain will be a shared domain.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_domain" "domain_mydomain" {
name = "my.domain.com"
org_owner_id = "${cloudfoundry_organization.org_mysuperorg.id}"
first = false
}
- name: (Optional if
first
param set totrue
, default:null
) Your domain name. - first: (Optional, default:
null
) If set totrue
parametername
become unnecessary and will give the first domain found in your Cloud Foundry (it will be the first shared domain iforg_owner_id
is not set). - org_owner_id: (Required if not shared) Organization id created from resource or data source which owned the domain cloudfoundry_organization.
resource "cloudfoundry_route" "route_superroute" {
hostname = "superroute"
space_id = "${cloudfoundry_space.space_mysuperspace.id}"
domain_id = "${cloudfoundry_domain.domain_mydomain.id}"
port = -1
path = ""
service_id = "${cloudfoundry_service.svc_ups.id}"
service_params = "{ \"my-param\": 1}"
}
- name: (Required) Your hostname.
- domain_id: (Required) Domain id created from resource or data source domains.
- space_id: (Required) Space id created from resource or data source cloudfoundry_space to register route inside.
- port: (Optional, default:
-1
) Set a port for your route (only works with a tcp domain). Note: If0
a random port will be chose - path: (Optional, default:
null
) Set a path for your route (only works with a http(s) domain). - service_id: (Optional, default:
null
) Set a service id created from resource or data source services this will bind a route service on your route. Note: It obviously needs a service which is a route service. - service_params: (Optional, default:
null
) Must be in json, set params to send to service when binding on it. - protocol: (Optional, default:
null
) This parameter is only for uri computed parameter it permits to override the protocol when generating uri (generated uri will use alwayshttps
protocol when it's an http route, you can found useful to force inhttp
). - uri: (Computed) This is an uri generated by the resource, you can use this for service brokers resource for example. Note: It autodetects when it's an http route or a tcp route.
Note: every parameters from resource which are not used here are marked as computed and will be filled, except:
service_params
resource "cloudfoundry_route" "route_superroute" {
hostname = "superroute"
domain_id = "${cloudfoundry_domain.domain_mydomain.id}"
port = -1
path = ""
}
- name: (Required) Your hostname.
- domain_id: (Required) Domain id created from resource or data source domains.
- port: (Optional, default:
-1
) Set a port for your route (only works with a tcp domain). Note: If0
a random port will be chose - path: (Optional, default:
null
) Set a path for your route (only works with a http(s) domain). - protocol: (Optional, default:
null
) This parameter is only for uri computed parameter it permits to override the protocol when generating uri (generated uri will use alwayshttps
protocol when it's an http route, you can found useful to force inhttp
).
IMPORTANT NOTE:
- Isolation segments are in development on cloud foundry and only available with cloud controller api V3.
- My actual Cloud Foundry doesn't have isolation segment and resource could not be tested
- Use at your own risk, there is no warranty
resource "cloudfoundry_isolation_segment" "my_isolation_segment" {
name = "isolation_segment_name_set_in_cf_deployment"
orgs_id = ["${cloudfoundry_organization.org_mysuperorg.id}"]
}
- name: (Required) Isolation segment that you have set on your cloud foundry deployment.
- orgs_id: (Required) (Optional, default:
null
) You can pass a list of organization created from resource or data source cloudfoundry_organization, this will put those organizations in the isolation segment.
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_isolation_segment" "my_isolation_segment" {
name = "isolation_segment_name_set_in_cf_deployment"
}
- name: (Required) Isolation segment that you have set on your cloud foundry deployment.
Stacks cannot be used as a resource
Note: every parameters from resource which are not used here are marked as computed and will be filled.
data "cloudfoundry_stack" "my_stack" {
name = "cflinuxfs2"
first = false
}
- name: (Optional if
first
param set totrue
, default:null
) Name of the stack. - first: (Optional, default:
null
) If set totrue
parametername
become unnecessary and will give the first stack found in your Cloud Foundry.
resource "cloudfoundry_env_var_group" "env_var_group" {
env_var {
key = "myvar1"
value = "myvalue1"
running = true
staging = true
}
env_var {
key = "myvar2"
value = "myvalue1"
running = true
staging = true
}
}
- env_var: (Required) Add any variable you want to environment variable group:
- key: (Required) Env var key.
- value: (Required) Env var value.
- running: (Required) if set to
true
this env var will be use on all running app. - staging: (Required) if set to
true
this env var will be use during staging step when creating an app.
Environment Variable Group cannot be used as a data source
resource "cloudfoundry_service_broker" "service_broker_mysuperbroker" {
name = "mysuperbroker"
url = "http://url.of.my.service.broker.com"
username = "user"
password = "mypassword"
service_access {
service = "service_name_from_service_broker_catalog"
plan = "plan_from_service_broker_catalog"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
}
service_access {
service = "service_name_from_service_broker_catalog"
plan = "plan2_from_service_broker_catalog"
org_id = "${cloudfoundry_organization.org_mysuperorg.id}"
}
#...
}
- name: (Required) Name of your service broker.
- url: (Required) URL to access to your service broker.
- username: (Optional, default:
null
) Username to authenticate to your service broker. - password: (Optional, default:
null
) Password to authenticate to your service broker. Note: you can pass a base 64 encrypted gpg message if you enabled password encryption. - catalog_sha1: (Computed) Do not modify yourself, this permits to detect a change in the service broker catalog.
- service_access: (Required) Add service access as many as you need, service access make you service broker accessible on marketplace:
- service: (Required) Service name from your service broker catalog to activate. Note: if there is only service in your service access it will enable all plan on all orgs on your Cloud Foundry.
- plan: (Optional, default:
null
) Plan from your service broker catalog attached to this service to activate. Note: if noorg_id
is given it will enable this plan on all orgs. - org_id: (Optional, default:
null
) Org id created from resource or data source cloudfoundry_organization to activate this service. Note: if noplan
is given it will all plans on this org.
BUG FOUND: if you set both plan
and org_id
in your service_access
Cloud Foundry will enable all plans on this org. It's maybe only on the version of Cloud Foundry I am. Feedbacks are needed on other versions.
Note: every parameters from resource which are not used here are marked as computed and will be filled, except:
username
password
resource "cloudfoundry_service_broker" "service_broker_mysuperbroker" {
name = "mysuperbroker"
}
- name: (Required) Name of your service broker.
You can use gpg encryption to encrypt your service broker password.
Requirements: you will need to have gpg
on your system.
- run
gpg --gen-key
, next steps will assume that you putcloudfoudry
as real name. (Do not forget to remember your passphrase!) - go on your terraform folder config in command line
- run
gpg --export-secret-key -a cloudfoudry > private.key
- inside provider configuration put those two key/value pairs (you can also copy content of
private.key
andexport CF_ENC_PRIVATE_KEY=content_of_private.key && export CF_ENC_PASSPHRASE=your_passphrase_that_you_remembered:)
):
provider "cloudfoundry" {
enc_private_key = "${file("private.key")}"
enc_passphrase = "your_passphrase_that_you_remembered:)"
}
- create the public key with
gpg --export -a cloudfoudry > public.key
- Share the public key to the rest of your team to let them encrypt password with it (see Encrypt password)
- you're done
- Get the public key previously created (
public.key
) - Import the key with
gpg --import public.key
- generate the encrypted password with commands
echo "mypassword" | gpg --encrypt --armor -r cloudfoudry > encrypted_pass.key
- Retrieve it from your resource, e.g.:
resource "cloudfoundry_service_broker" "service_broker_mysuperbroker" {
name = "mysuperbroker"
url = "http://url.of.my.service.broker.com"
username = "user"
password = "${file("encrypted_pass.key")}"
service_access {
service = "service_name_from_service_broker_catalog"
}
}
- you're done