Terraform

Terraform provides an effective way to organize your infrastructure as code. Our Terraform provider allows you to access secrets managed by Manifold, so you can configure your services without hard-coding secrets and configuration variables into your Terraform config files.

Provider Install

To start, we install the terraform-provider-manifold provider:

  1. Download the latest release from https://releases.manifold.co/terraform-provider-manifold
  2. Un-tar the plugin to the plugins directory for Terraform (usually $HOME/.terraform.d/plugins)
tar xvzf terraform-provider-manifold_VERSION_OS_ARCH.tar.gz
mv ./terraform-provider-manifold $HOME/.terraform.d/plugins

Once the plugin has been installed to $HOME/terraform.d/plugins you are ready to begin.

Configuration

There are three configuration steps to create a secure connection to Manifold.

1. Create an API key

An API key is required for your user or team, so that we can securely look up and decrypt credentials in Terraform. API keys are currently created through the Manifold CLI. For the Terraform Provider you must grant read-credentials access to the token.

To get started with API tokens refer to the authentication documentation.

2. Provide an API Key

There are two ways to authenticate the provider.

Using an environment variable:

export MANIFOLD_API_TOKEN=abcdefghijklmnopqrstuvwxyz

Or using the api_token key in the manifold provider:

provider "manifold" {
   api_token = TOKEN
}

3. Team Access

Manifold enables you to organize your resources inside teams, or inside your personal account. This allows you to organize your own and your team’s resource in such a way that provides access to those who need it.

If you are working with resources in a team, you should specify it as the team argument on the manifold provider, or using team arguments to data sources or resources that have that argument.

There are two ways to supply a Team to use for the Terraform Provider: using the MANIFOLD_TEAM environment variable, or by using the team key on the manifold provider:

provider "manifold" {
  team = TEAM_LABEL
}

Data Sources

Data sources provide a convenient way to look-up information in Manifold. The following Data Sources exist.

manifold_credential

The datasource manifold_credential is used to fetch resource credential set.

Example:

data "manifold_credential" "my_credential" {
  project = "terraform"
  resource = "resource"
  key = "credential"
}

Argument Reference

  • project Label of your target project
  • resource Label of your target resource
  • key A key to fetch from the resource’s credentials
  • default A default value for the specified key if not set

Attribute Reference

  • resource Label of your target resource
  • project Label of the project your resource belongs to
  • value The value of the credential

manifold_project

The datasource manifold_project is used to fetch credentials for a project, or a set of resources within a project.

Example

data "manifold_project" "my-project" {
  project = "project-label"

  resource {
    resource = "resource-label"

    credential {
      name = "database"
      key = "DATABASE_URL"
      value = "postgres://user:password@localhost/database"
    }
  }
}

Argument Reference

  • project Label of your target project
  • resource Label of your target resource
  • credentials
    • name An alias for your credential (defaults to the value of key)
    • key Name of the credential to fetch
    • value Default value to use for the credential if not set

Attribute Reference

  • project Label of the project the credential resides in
  • credentials A map of credentials for the project’s resources

manifold_resource

The datasource manifold_resource can be used to fetch a resource’s credentials.

Example

data "manifold_resource" "my_resource" {
  resource = "my-resource"
  project = "my-project"
}

Argument Reference

  • resource Label of your target resource
  • project Label of the project your resource belongs to
  • credential Credential map
  • name Alias for your credential
  • key Key of the credential to fetch
  • default Default value if the credential is not found

Attribute Reference

  • resource Resource label the credential is for
  • credentials Credential map

Resources

The following resources exist in the provider to manage aspects of your Manifold account

manifold_credential

manifold_credential can be used to set credential values in Manifold for a service. The credential can then be used with the manifold_credential data source.

Example

resource "manifold_credential" "my_credential" {
  resource = "my-resource-label"
  project = "my-project-label"
  key = "my-credential-key"
  value = "my-credential-value"
}

Argument Reference

  • resource The label of the resource to add the credential to
  • project The label of the project that contains the resource to add the credential to
  • key The name of the credential to set
  • value The value of the credential to set

Attribute Reference

  • resource Label of the resource which has been created/updated
  • project Label of the project your resource belongs to
  • key The name of the credential
  • value The value of the credential

manifold_token

The manifold_token resource can be used to manage API tokens in Manifold.

Example

resource "manifold_token" "my_token" {
  role = "read"
  team = "my-team-label"
  self = false
  description = "read token for accessing team my-team-label"
}

Argument Reference

  • role Role to create the token as (read, read-credentials, write, admin)
  • team Team to create the API token for access
  • self Boolean indicating if the token created should be for a personal account
  • description A description of the token

Attribute Reference

  • role Role of the token (read, read-credentials, write, admin)
  • team Team name the API key has access for
  • self Boolean indicating if this token is for a personal account
  • description A description of the token
  • token Value of the API token

Example Infrastructure

The following example shows how an to use the Manifold provider to create an S3 bucket. In this example, the bucket name is stored as a credential value in Manifold. This example shows how to configure another provider (Datadog) using credentials stored in a Manifold custom resource. The user or system executing terraform then only needs access to a single credential: the Manifold API token.

provider "manifold" {
  team = "terraform-getting-started"
}

data "manifold_resource" "datadog" {
  resource = "my-datadog-custom-resource"
}

# Configure the datadog provider with credentials stored in manifold
provider "datadog" {
  api_key = "${data.manifold_resource.datadog.credentials["API_KEY"]}"
  app_key = "${data.manifold_resource.datadog.credentials["APP_KEY"]}"
}

# Schedule stage for downtime on the weekends. No need to alert anyone!
resource "datadog_downtime" "give_stage_the_weekend_off" {
  scope = ["environment:stage"]

  start = 1533956400
  end   = 1534042800

  recurrence {
    type      = "weeks"
    period    = 1
    week_days = ["Sat", "Sun"]
  }
}