Terraform Weekly - v0.13 beta, new k8s provider (#9)

It has been over a year since Terraform 0.12 was released and things are starting to line up for 0.13 to be released within the next few months. Once that date gets closer I will have some deep-dives on the new features coming out.

Meanwhile a major them is testing, both for correctness and security/compliance. There are a number of competing projects in this area which take a variety of approaches. A new one this week is TerraGoat, which is a learning environment for detecting security problems via infrastructure-as-code testing.

Beta versions of 0.13 are going to be released soon with the first expected on June 3rd. Subscribe to the issue to get release announcements.

The two major features I see planned for 0.13 are:

  1. Namespaced providers in the Terraform registry: currently only hashicorp maintained providers can be published to the registry. Soon others will also be able to publish their provider plugins there. See this blog post about what the configuration will look like.

  2. Module expansion: aka count/for_each for modules.

There is a ton of other stuff in the CHANGELOG, so check it out if you are curious.

Terraform has not been a great tool for managing resources in Kubernetes. When HashiCorp announced first-class support for Kubernetes (in 2018) I was excited at the prospect of having a better way of using the power of Terraform when working in k8s. At the time, I expected them to fill out support for k8s resources in the provider and fix known problems.

It seems instead they are taking a lower-level approach of exposing a raw manifest-level interface. This makes sense. Most are probably converting their yaml manifests to HCL anyway. Why not make that easier? And why require adding new terraform provider code for every kind of k8s resource? Just expose the raw API directly.

The provider is still alpha, so don't use it for anything real. but if this is an area you are interested in, at least read the docs.

TerraGoat is a new project which includes intentionally insecure Terraform code intended to be used for learning how to detect and secure infrastructure managed by code.

Has anyone had a try at working through it?

This is a nice walkthrough of connecting workspaces in TF[Cloud|Enterprise] (TFEC?) via run triggers.

A run trigger is used to connect two workspaces that share data, maybe via an output/terraform_remote_state. If B depends on A and you configure a run trigger, when A is applied successfully, a run will be queued for B.

I haven't used it but plan on trying it out once my team finishes our current TFE migration.

A free API that will give you a cost estimate based on a Terraform plan or state file. It is not stated explicitly, but it seem to support only AWS.

Notable releases

Two minor enhancements in this release–

  1. You can now use -target with remote backends if the remote supports it. The most popular ones, Terraform Enterprise and Cloud do not, yet. #24834

  2. There is now support for "unmanaged providers" which basically means you can start and run provider processes apart from Terraform. This is potentially very useful for debugging. #24674

Nothing major in the changelog for the language server, just some bug fixes and addition of signing and pushing the builds to releases.hashicorp.com.

helm.Rollback now supports rolling back to the previous version by passing in "" for revision. Also, this release fixes a bug for Helm v3 where the rollback command required specifying namespace.

One improvement to tfe_team which added support for organization-level permissions and visibility on teams. (#155)

Lots of stuff in this release, so it is hard to summarize. Just go read the release notes. :)


#762: Add terraform_comment_syntax rule (@bendrucker)


#745: Expose raw hcl.File objects to rules (@bendrucker) See also #741

#759: Ignore lang.ReferencesInExpr errors when walking all expressions (@bendrucker)

#763: Make rule config which is enabled with CLI non-nilable (@wata727)


postgresql_grant: Implement grant on database. (#123)

Support client/server SSL certificates. (#126)

Use SDK validations functions instead of custom ones. (#122)


Fix max_connections validation to allow 0 (unlimited). (#128)