Terraform Output from null_resource and AWS CLI

• Introduction
• Step-by-Step Guide
• Code Example
• Example 2: Capturing Output and Using in Another Resource
• Example 3: Interacting with an API (Hypothetical)
• Additional Notes
• Summary
• Conclusion
• References

The local-exec provisioner in Terraform allows you to execute scripts or commands on your local machine during Terraform operations. This is particularly helpful for tasks that are not directly supported by Terraform providers, such as interacting with APIs that lack a dedicated provider. Let's explore how it works: First, you define a null_resource. Since local-exec doesn't manage an external resource, null_resource serves as a placeholder. Next, you add the local-exec provisioner within the null_resource block, specifying the command or script to be executed using the command argument. To utilize the output of the command in your Terraform code, you can capture it using the triggers argument within null_resource. However, it's crucial to consider idempotency, ensuring that running the command multiple times produces the same result. Additionally, prioritize security by handling sensitive information cautiously and be mindful that Terraform doesn't track the state of local-exec commands. Let's illustrate this with an example: imagine you need to obtain an API key from a service without a Terraform provider. You can employ local-exec to call a script that retrieves the key, store it in a file, and then utilize the triggers block to read and make the key accessible to other resources.

The local-exec provisioner in Terraform lets you run scripts on your local machine during Terraform operations. It's useful for tasks that the provider doesn't directly support, like interacting with APIs that Terraform doesn't have a provider for.

Here's how it works:

1. Define a null_resource: The local-exec provisioner is meant to be used within a resource. Since you're not actually managing an external resource, null_resource is a common choice. It acts as a placeholder.

   resource "null_resource" "example" {
     # ...
   }

2. Add the local-exec provisioner: Inside the null_resource block, add a provisioner block with the type local-exec.

   resource "null_resource" "example" {
     provisioner "local-exec" {
       # ...
     }
   }

3. Specify the command: Within local-exec, use the command argument to define the command you want to execute. This can be a shell command, a script path, or anything your system can run.

   resource "null_resource" "example" {
     provisioner "local-exec" {
       command = "echo 'Hello from local-exec!'"
     }
   }

4. Capture output (optional): If you need to use the output of the command in your Terraform code, you can capture it using the triggers argument within null_resource.

   resource "null_resource" "example" {
     provisioner "local-exec" {
       command = "echo 'output-value'"
     }
   
     triggers = {
       output = local.timestamp
     }
   }
   
   output "captured_output" {
     value = null_resource.example.triggers.output
   }

   This example captures the output of the command (output-value) and makes it available as an output variable (captured_output).

Important Considerations:

• Idempotency: local-exec should ideally be idempotent, meaning running it multiple times has the same effect as running it once. If your command has side effects, ensure it handles repeated executions gracefully.
• Security: Be cautious about sensitive information in local-exec commands. Consider using environment variables or other secure mechanisms to pass secrets.
• State: Terraform doesn't track the state of local-exec commands. Changes in the command's behavior might not be reflected in Terraform's state.

Example: Getting an API Key

Let's say you need to fetch an API key from a service that doesn't have a Terraform provider. You can use local-exec to call a script that retrieves the key:

resource "null_resource" "get_api_key" {
  provisioner "local-exec" {
    command = "./get_api_key.sh"
  }

  triggers = {
    api_key = filebase64("./api_key.txt") 
  }
}

resource "some_resource" "example" {
  api_key = null_resource.get_api_key.triggers.api_key
}

This example assumes you have a script get_api_key.sh that fetches the key and saves it to api_key.txt. The triggers block reads the key from the file and makes it available to other resources.

The code provides examples of using the local-exec provisioner in Terraform. It shows how to print a message, capture command output for tagging resources, and interact with APIs to retrieve and utilize configuration files. The examples highlight using scripts, triggers, and security considerations when working with sensitive information.

This example demonstrates a basic local-exec usage to print a message.

resource "null_resource" "hello_world" {
  provisioner "local-exec" {
    command = "echo 'Hello from local-exec!'"
  }
}

This example fetches the current timestamp using a local command and uses it to set a tag on an AWS instance.

resource "null_resource" "get_timestamp" {
  provisioner "local-exec" {
    command = "date +%Y-%m-%d-%H-%M-%S"
  }

  triggers = {
    timestamp = local.timestamp
  }
}

resource "aws_instance" "example" {
  # ... other instance configurations ...

  tags = {
    CreationTime = null_resource.get_timestamp.triggers.timestamp
  }
}

This example simulates interacting with a hypothetical API to get a configuration file.

resource "null_resource" "get_config" {
  provisioner "local-exec" {
    command = "./get_config.sh ${var.api_endpoint} ${var.api_token}"
  }

  triggers = {
    config_content = filebase64("./config.json")
  }
}

resource "google_storage_bucket_object" "config_object" {
  bucket = "my-bucket"
  name   = "config.json"
  source = base64decode(null_resource.get_config.triggers.config_content)
}

Explanation:

• get_config.sh is a script that interacts with the API using provided endpoint and token.
• The script downloads the configuration to config.json.
• triggers block reads the content of config.json and makes it available.
• This content is then used to upload the configuration file to a Google Cloud Storage bucket.

Important:

• Replace placeholders like get_config.sh, API endpoints, and tokens with your actual values.
• Ensure your scripts handle errors and idempotency appropriately.
• Be mindful of security when using sensitive information in local-exec. Consider using environment variables or other secure methods.

Use Cases:

• Interacting with unsupported APIs: Ideal for services without a dedicated Terraform provider.
• Local Script Execution: Run scripts for pre/post-processing, data generation, or system configuration related to your infrastructure.
• Triggering External Tools: Integrate with CI/CD pipelines, notification systems, or other tools outside the direct scope of Terraform.

Best Practices:

• Idempotency is Key: Design scripts to handle multiple executions without unintended side effects. Use checks for existing states or flags to ensure consistent behavior.
• Error Handling: Implement robust error handling within your scripts to provide informative feedback and prevent Terraform runs from failing silently.
• Security Considerations:
  • Avoid Hardcoding Secrets: Use environment variables, secure configuration files, or vault integrations to manage sensitive data.
  • Principle of Least Privilege: Grant scripts only the necessary permissions on your local system.

Alternatives to Consider:

• Custom Providers: For more complex integrations or reusable logic, developing a custom Terraform provider offers a more robust and maintainable solution.
• Remote Execution Tools: If you need to run commands on remote servers consistently, tools like Ansible, Chef, or Puppet might be more appropriate.

Debugging:

• Verbose Output: Use the -verbose flag with Terraform commands to get more detailed logs about local-exec execution.
• Test Scripts Independently: Thoroughly test your scripts outside of Terraform to isolate issues and ensure they function as expected.

Limitations:

• Local Execution Only: local-exec runs on the machine running Terraform, not on remote resources.
• No State Management: Terraform doesn't track changes made by local-exec, so be mindful of potential drift between your infrastructure and Terraform's state.

In conclusion, the local-exec provisioner in Terraform is a valuable tool for bridging the gap between Terraform's core functionality and tasks that require local script execution or interaction with unsupported APIs. By using null_resource as a placeholder and carefully considering idempotency and security, you can leverage local-exec to extend Terraform's capabilities and automate a wider range of infrastructure management tasks. However, it's essential to be mindful of its limitations, such as local-only execution and lack of state management, and explore alternative solutions like custom providers or remote execution tools when appropriate. By understanding the strengths and weaknesses of local-exec, you can make informed decisions about when and how to use it effectively in your Terraform configurations.

• output of local-exec to variable ? : r/Terraform | Posted by u/Accomplished_Text_10 - 2 votes and 6 comments
• Getting terraform null_resource local-exec to run a powershell install ... | Nov 26, 2019 ... Terraform, getting output from null_resource, local-exec and the AWS CLI · 3 · How to execute PowerShell command through Terraform · 1.
• Getting output from null_resource, local-exec and the AWS CLI. | Hi,. I'm using Terraform to automate provision of Cognito Identity Pools in AWS. The AWS provider doesn't support Cognito yet so I ...
• Pass credentials to local-exec OR extract credentials via properties ... | Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me too" comments, th...
• local-exec with providers. If you have worked with terraform for a ... | If you have worked with terraform for a while there is a high chance that you came across local-exec aka a provisioner. Mostly useful when…
• Entire local-exec command output suppressed with use of sensitive ... | Marking a variable as sensitive and referencing that variable in a local-exec provisioner command or in the environment block suppresses all lines of the command output. My use case (not shown in e...
• Provisioner: local-exec | Terraform | HashiCorp Developer | The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource.
• null_resource trigger with interpolated value used as an output fails ... | I'm finally getting around to moving from 0.10.8 to 0.11+ but am having issues with outputting the value of a trigger that is interpolated from another resource. I have an aws_ecs_task_definition t...
• How to retrieve the null_resource returned value? - Terraform ... | Hi All, I have the below null_resource to retrieve the prometheus cluster IP: resource "null_resource" "get_prometheus_ip" { provisioner "local-exec" { command = "kubectl get svc prometheus-server -n monitoring | awk -F' ' '{print $3}' | tail -1" } } I want to use its returned result in another place: resource "helm_release" "prometheus-adapter" { name = "prometheus-adapter" chart = "${path.module}/helm/charts/stable/prometheus-adapter/" namespace = "default" // prometheus ...