terraform-provider-system
Host-level configuration management via terraform. Like ansible, but driven by Terraform.
Resources / Data Sources
File
Manages text contents of a file (no binary)
TODO:
- base64 binary contents
- line in file present/absent
- file absent
- Provide a local path to upload a very large or binary file (>maxiosize)
Directory
Present, absent, data source lists contents
Package
Manage installed packages. Apt-get, Apk, Yum, or Brew only.
TODO:
- Language-specific package managers such as
pip,uv.
Command
Run a command and retrieve results. Does not run again (memorized by state).
Service
Manage service stats (running, stopped, restarted, enabled, disabled). Systemd on linux only.
User
Create user accounts. Linux only.
Group
Create user groups. Linux only.
SysInfo
Provides information about the system, such as:
- OS flavor
- users
- groups
TODO:
- hostname
- primary ip
- disks
Planned Resources / Data Sources
- Cronjob
- Application-specific package managers
- Pip (actual pip)
- Pip (via uv)
Other Trivia
On setting permissions/owner/group to null
Linux/unix systems automatically set ownership/group to the acting user creating the file. Umask controls the permissions of newly created files. These behaviors are favored over this provider having some default for either.
Why int64 for uid/gid?
Possible values in the field dictate it:
- Modern linux allows for up to UINT32_MAX
- Some OSes use negative values for Uid/Gid. For example, macOs and HP-UX use negative user/group IDs.
- Therefore, a signed value is needed and 32 bits is not enough
- Terraform provides int64, a perfect match
- TODO ensure this is used consistently throughout the provider
Using privilege escalation
The provider can escalate privileges, using sudo, with some limitations:
- Sudo binary must be present
- Sudoing must be passwordless
- File operations:
- Supported in SSH mode only, not local
- In SSH mode, the target server must use a standalone sftp server - not
internal-sftp
- Run command: not supported
- Package management: supported
- Service management: supported
- Also applies to commands ran by the cmd resource and datasource
TODO list
- With system_service, enabling a service that does not exist succeeds but should fail
- Look into ssh max sessions - what happens when we hit the cap? Do we need to self limit? Provider setting for limit?
- Change file resource so that:
- Contents attribute is optional, and leaving it out just touches the file
- Or, other options such as line-in-file, similar to ansible, can be used
- Fix inconsistent handling of unknown users/groups - some places raise an error, others leave it blank
- Pkg data source variant that lists packages available to be installed?
- Add output to system info resource that surfaces information such as OS codename on ubuntu, "focal", which would be useful when adding repos
- In system_pkg, a way to assert version ranges of the installed package. This won't select specific versions, but will raise an error if the installed version falls outside the range. This is for situations where an old version is available in default repos, and your third-party repo provides a newer version, and you want to assert that the newer version was installed, without specifying the exact version to install.
- Remove
nameattribute from resources that dont use it, such as system_cmd - Test upgrading with system_pkg (change package version)
- Option to restart on config update for system_service resource
- SysInfo
- primary IPs
- disks/mounts
- expose shell escape function for use in hcl
- updating a stopped service's config returns an error (but completes successfully)
- setting uid & gid on a dir previously created with them unset causes an error
- need a recursive option when deleting directories
- Line mode in file resource needs a lock keyed by the path so concurrent edits to the same file don't stomp eachother
- File resource should allow not specifying contents or line, in which case it touches / chmods / chowns only
- Data resource for formatting Systemd units - would mimic the tftpl I'm using elsewhere