Skip to main content
Version: 0.23.0

Output Data

Output data is data produced by Terraform as a result of running a configuration. Output data can include values such as resource IDs, IP addresses, and other information about the resources that have been created.

With TF-controller, you can use the .spec.writeOutputsToSecret field to write the outputs created by Terraform to a secret. A secret is a Kubernetes resource that stores sensitive data, such as passwords, API keys, and other confidential information.

Write all outputs

To write all outputs created by Terraform to a secret using TF-controller, you will need to create a Terraform object and specify the .spec.writeOutputsToSecret.name field.

Here is an example of a Terraform object that writes all outputs to a secret named "helloworld-output":

apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
  name: helloworld
  namespace: flux-system
spec:
  approvePlan: auto
  interval: 1m
  path: ./
  sourceRef:
    kind: GitRepository
    name: helloworld
    namespace: flux-system
  writeOutputsToSecret:
    name: helloworld-output

In this example, the .spec.writeOutputsToSecret.name field is set to "helloworld-output", which specifies the name of the secret that the outputs will be written to. By default, the controller will write all outputs to the secret.

To use this Terraform object, you will also need to create a GitRepository object to specify the location of the Terraform configuration files. In this example, the GitRepository object has the name "helloworld" and is located in the "flux-system" namespace.

Once the Terraform and GitRepository objects are created, the controller will automatically write all outputs created by Terraform to the specified secret. This can be useful in situations where you want to store the outputs in a secure location or use them in other parts of your infrastructure.

Selectively Writing Outputs

In addition to writing all outputs created by Terraform to a secret, you can also choose to write only a subset of outputs by specifying the output names you want to write in the .spec.writeOutputsToSecret.outputs array.

To do this, you will need to create a Terraform object and specify the .spec.writeOutputsToSecret.name and .spec.writeOutputsToSecret.outputs fields.

Here is an example of a Terraform object that writes only the outputs with the names "hello_world" and "my_sensitive_data" to a secret named "helloworld-output":

apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
  name: helloworld
  namespace: flux-system
spec:
  approvePlan: auto
  interval: 1m
  path: ./
  sourceRef:
    kind: GitRepository
    name: helloworld
    namespace: flux-system
  writeOutputsToSecret:
    name: helloworld-output
    outputs:
    - hello_world
    - my_sensitive_data

In this example, the .spec.writeOutputsToSecret.name field is set to "helloworld-output", which specifies the name of the secret that the outputs will be written to. The .spec.writeOutputsToSecret.outputs field is an array containing the names of the outputs to be written to the secret.

Renaming outputs

Sometimes you may want to rename an output in order to use it with other components in your GitOps pipeline. For example, you may have a key in a secret manager that must be named a certain way in order to be used by other controllers.

TF-controller provides support for renaming outputs by using the old_name:new_name format in the .spec.writeOutputsToSecret.outputs field.

To rename an output with TF-controller, you will need to create a Terraform object and specify the .spec.writeOutputsToSecret.name and .spec.writeOutputsToSecret.outputs fields.

Here is an example of a Terraform object that renames the "age_key" output to "age.agekey" and writes it to a secret named "helloworld-output":

apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
  name: helloworld
  namespace: flux-system
spec:
  approvePlan: auto
  interval: 1m
  path: ./
  sourceRef:
    kind: GitRepository
    name: helloworld
    namespace: flux-system
  writeOutputsToSecret:
    name: helloworld-output
    outputs:
    - age_key:age.agekey

In this example, the name field is still set to "helloworld-output", but the outputs field now contains the old_name:new_name mapping, which renames the "age_key" output to "age.agekey" as it is written to the secret.