-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve outline for tfstate files #1611
Comments
Hi @orgads, Specifically I am curious on why and how often do you open I can understand why as a user you may end up editing Accessing a
The last possibility is just about the only good reason to be accessing the Finally, the All that said, it is entirely possible I missed a use case, so do let us know if that's the case. Either way - before we jump to solutions, I think we should outline the problem well, so we know we are actually solving it. |
Hi. I use azure backend for the state files, but I often pull them for inspection. When someone calls me to ask "what's the connection string to the database", I open the tfstate file and search for "connection_string" to find it. This is easier for me than remembering the full object name. This feature is nice-to-have from my point of view, I totally understand if you consider it not worth the effort. |
Thanks for sharing the use case. That is helpful! Is there a reason you prefer to pull the whole state file and read through the whole JSON, instead of calling Especially when it comes to something as sensitive as connection string, the command-based approach I outlined above reduces some risk. Assuming you store the state file remotely, it is only downloaded into memory and then printed to your terminal as part of running those commands, rather than stored as whole on your disk until/unless you remember to remove it. Assuming you also enable encryption at rest, then the encryption becomes less relevant if you regularly download the whole state file and leave it on disk, which may or may not be encrypted. It is also basically a definition of secret sprawl.
At this point I'm not trying to assess the amount of effort but the amount of value it would add and for whom - which is why I'm asking these questions. 😉 |
Just to take your use case more literally (and reflect on hard-to-remember resource names), you could run I'm assuming here also that the terminal scrollback/history gets eventually automatically deleted, unlike state files you download, so not only you never store things you don't care about (the rest of the state file) but the one sensitive thing you do download gets deleted, so the exposure is more minimal. |
I see your point about secret sprawl, and I agree. I mostly use it for dev environments. Drawbacks of terraform show:
For example,
|
Thanks again for further explaining the issues with the approach, I see how that can be annoying! I would still hope that we (more collectively meaning HashiCorp/Terraform here, not just our team behind the extension) can come up with a solution which does not involve downloading the whole file to disk. Perhaps a On the slowness/performance note, I'm assuming the majority of time is spent downloading the file, which seems inevitable with the current model of the state being represented as a single file. Either way, I'll leave this issue open and see if there's more interest (expressed via upvotes) or more ideas. I'll also pass the feedback from your last comment to the product team as food for thought. |
Thank you very much! |
I ran a test with TF_LOG=trace, and actually downloading the file takes less than a second. Here is the redacted trace: https://gist.github.com/orgads/bbafbc2c637e17582ea6dc1b4ef88f38 Notable timings:
Why are all the providers initialized? |
After sharing this with the wider product team, another relevant suggestion also emerged, which is that if you expect those connection strings to be consumable/important, then these should be declared as outputs. For example, you can declare: output "az_storage_connection_string" {
value = module.aks-deploy.kubernetes_secret.az_storage_connection_string
} You can declare as many outputs as you want and the problem of "not knowing the exact name" is also solved by Yet another benefit of this approach is that this allows you to employ more fine-grained RBAC model with
See https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/permissions for more |
Thank you very much. I'll add the frequently accessed values as outputs. I wasn't aware of |
Extension Version
v2.28.2
Problem Statement
tfstate file is opened as JSON, which is correct.
But when I navigate through it, the outline (the line above the editor) shows generic JSON location. For example,
[] resources > {} 138 > [] instances > {} 0 > {} attributes
.Expected User Experience
It would be nice if the outline could show the terraform notation instead or in addition (copyable if possible). On this case,
module.my_mod.random_password.example[0]
Proposal
Maybe something like https://github.com/ChaunceyKiwi/json-tree-view can be done to address this.
References
No response
Help Wanted
Community Note
The text was updated successfully, but these errors were encountered: