LTF currently finds *.tfvars and *.tfvars.json in the directory tree and updates the environment variables TF_CLI_ARGS_plan and apply to contain -var-file=$name for each file.

I am wondering if it would be better to do this:

• for each directory up to and including the configuration directory:
  • parse any *.tfvars and *.tfvar.json files
  • also parse *.tf and *.tf.json files for variable defaults
  • for each parsed variable:
    • export TF_VAR_$name=$value

It should also handle CLI args (-var and -var-file) and environment variables like TF_CLI_ARGS and TF_CLI_ARGS_plan etc.

This would allow the hooks to easily read any of the variables, and also to alter variables before Terraform runs. It might also make it easier to create additional wrapper tools that don't need to understand the CLI args and can just check TF_VAR_name values.

One ugly part about this idea is related to variable precedence. If all of the variables are sent using environment variables, then any tfvars files in the configuration directory will take precedence. Perhaps LTF could know which variables are affected by this and raise an error (read all variables from files in the config dir and CLI args, and raise an error if any TF_VAR_name environment values don't match).

It currently only looks in the current directory. It should look at parent directories, stopping at and including the configuration directory.

Update example and the tree in the docs accordingly.

Proposed idea

Feature:

• Dynamic backends:
  • Allow use of variables in backend configuration blocks.

LTF solves the issue of Terraform not supporting input variables in the backend configuration block. Note that LTF only adds support for input variables. It does not support accessing local values, nor data sources.

When LTF runs, it does the following:

• Reads the backend block from the Terraform configuration.
• Renders the backend block using HCL using Terraform variables.
• Passes each line from the rendered backend block to Terraform using the -backend-config= command line argument, which takes precedence over the values in the file.

Work required

• Parse configuration
• Load tfvars like Terraform does (parse files, understand CLI arguments involving variables, understand environment variables like TF_CLI_ARGS_plan=-var-file and TF_VAR_name=value)
• Render HCL
• Pass -backend-config args.

This seems feasible because it's written in Go and we have access to the Terraform source code. It's also feasible in Python, Pretf does all of this. It might be difficult in other languages.

Now that LTF understands variables (#19) it might be easy to support variables in tfbackend files. This would reduce the number of files needed in a project.

When running ltf version it should print the LTF version before it runs terraform version. It should automatically use the current git tag, so probably needs to do something in the github action.

It currently matches on terraform and terraform $subcommand.

Could use regular expressions, but -chdir and other arguments (which can be in any order) makes this awkward. So some more custom matching seems better.

Ideas:

# always
terraform

# any subcommand
terraform *

# no subcommand
terraform !

# subcommands
terraform !init|plan|apply # all except for init, plan and apply
terraform plan|apply

# flags
terraform -target
terraform !-target

Needs more thought and refinement.

Use cases:

1. Before plan and apply, run SOPS to get decrypted YAML, base64 encode it, turn the output into a TF_VAR_secrets environment variable, and then include that in the environment when Terraform runs. BUT: can't this be done with a module that uses a data source to run SOPS?
2. Post to Slack when someone is running Terraform

Some ideas for implementation:

1. Search parent dirs for ltf.yaml which allows running commands at certain points such as before-terraform, before-apply, after-apply, after-terraform. It would need flags for exporting environment variables, whether it should run even after Terraform errors, etc.
2. Search parent dirs for ltf.yaml which allows specifying a hook script which receives command line arguments containing the hook event details.
3. Embed a language like Starlark or Lua. Search parent dirs for ltf.bzl or ltf.starlark (what file extension is it?) or ltf.lua and call that.

Possible hooks:

1. When LTF starts (but what's the use case for this?)
2. Before and after each of Terraform's 22 commands, or any command, or no command.

Other ideas for ltf.yaml besides hooks:

1. Logging/verbosity level.

If there are any YAML settings, it's preferable for them to also be settable with environment variables (e.g. LTF_HOOK_COMMAND or LTF_BEFORE_PLAN).

• Add GitHub actions to build and release binaries
  • Can probably copy what I did in remake
• Update README with installation instructions
• Try out https://github.com/marwanhawari/stew and maybe add instructions
• Try out https://github.com/marcosnils/bin and maybe add instructions
• Maybe create asdf plugin and add instructions

Possible instructions:

LTF is released as a single binary. Download and add it to your PATH. Make it executable if needed.

There are many different ways to deal with secrets. Different cloud providers have different services, and they can't all be supported directly.

SOPS is a pretty good option, but it might be best to run it with hooks, or with a data source that runs SOPS, or with the SOPS Terraform Provider. It probably shouldn't be supported/included directly in LTF. Just having examples might be enough.

It could be interesting to build a CLI/TUI program for managing KMS secrets directly in Terraform code (in tfvars or tf files) and then access them via aws_kms_secrets data source. This could be a separate program, then you'd create a hook to run it.

Inspiration:

• SOPS
• Tomb

Ideas for later or never

• Creating backend resources.
  • Different backends have different methods for creation so this tool could only support some, if it supports any at all.
  • For S3/DynamoDB it might be better to create a separate tool or easy to use CloudFormation template that can be used to set up the Terraform project.
• Managing secrets
  • For SOPS, I'm not sure.
    • Consider adding a hooks system to run commands like SOPS and use the results as Terraform variables or environment variables.
    • Or have first-class support for running SOPS.
    • Or include the SOPS library and use it directly.
    • Or use the Terraform Provider
• Creating backend resources and managing secrets in AWS.
  • Create S3/DynamoDB/KMS resources with CloudFormation.
  • Create built-in CLI and TUI interfaces for managing KMS secrets that get committed to git.
    • Examples: SOPS and Tomb
  • Also consider the aws_kms_secrets data source.
• Remote modules, e.g. Terragrunt.
  • Probably will not implement because the project structure is too different.

This would allow hooks to create custom commands like ltf sops or ltf plan-all that don't just run Terraform.

Ideas:

• Hooks update the LTF_TERRAFORM_CMD environment variable, then LTF uses that.
  • This was suggested in #7
• Export some other special env var which LTF checks for and then stops.
  • Set LTF_EXIT=n to skip the Terraform command but still run remaining hooks.
  • Set LTF_EXIT_NOW=n to exit immediately after the current hook.

Worse ideas:

• An extra field in the YAML file (not flexible, you might want to do this only sometimes and use the script to figure out when).

Some ideas:

ltf_find

Finds a file in any of the relevant directories that LTF has found (dirs = all directories between cwd and chdir).

Use cases:

• Use ltf_find secrets.yaml to find the secrets file in the current directory, or a parent directory, and then run:
  • export TF_VAR_secrets=$(sops --decrypt $file | base64)

Some ideas:

LTF_TERRAFORM_CMD

The Terraform command that is going to run (or has run, if it's an after/failed hook).

Use cases:

• Post the command to Slack or some logging system.
• Alter it to run sops instead, when you run ltf sops. This would only work if LTF reads back these variables after running a hook script and then updates the command accordingly.

LTF_TERRAFORM_DIR

Where Terraform will be running, AKA the chdir directory or cwd if there is none.

Use cases:

• Read/write files in this directory (but why).
• Write variables to this directory and delete afterwards (probably should use env vars instead).

LTF_YAML_DIR

Where ltf.yaml lives, probably the top level of the repo/project.

Use cases:

• Use scripts or other files in this directory (e.g. a hooks directory in the top level of the project, next to the YAML file).