Unlike most of the features, global environment variables are configured at the controller level rather than at the tf resource.

Global Environment Variable Configuration

To configure global envs, update the controller’s Deployment by adding any number of env vars with the following prefixes:

  • TFO_VAR_
  • TFO_SECRET_

The un-prefixed versions will be added to every task in every tf resource.

Example using helm (preferred)

Here an example, how you could provide the same AWS credentials to all executed terraform tasks.

controller:
  env:
  - name: TFO_SECRET_AWS_SECRET_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: aws-creds-dev
        key: AWS_SECRET_ACCESS_KEY
  - name: TFO_SECRET_AWS_ACCESS_KEY_ID
    valueFrom:
      secretKeyRef:
        name: aws-creds-dev
        key: AWS_ACCESS_KEY_ID

The helm chart also supports envFrom, so that you can just pull all values from a secret (or configmap). Notice it does NOT auto apply the prefix.

controller:
  envFrom:
  - secretRef:
      name: all-keys-from-this-secret

Example controller deployment using kubectl

apiVersion: apps/v1
kind: Deployment
metadata:
  name: "terraform-operator"
  # ... data omitted
spec:
  # ... data omitted
  template:
    # ... data omitted
    spec:
      containers:
      - name: "terraform-operator"
        # ... data omitted
        env:
        - name: TFO_SECRET_AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: aws-creds-dev
              key: AWS_SECRET_ACCESS_KEY
        - name: TFO_SECRET_AWS_ACCESS_KEY_ID
          value: NotReallyASecret
        envFrom:
        - secretRef:
            name: all-keys-from-this-secret

How it works

The environment variables prefixed with TFO_VAR_ and TFO_SECRET_ are stripped of the prefix and added to a ConfigMap or Secret. Environment variables then get injected into all the tasks via envFrom.

From the example above, tasks would get the environment variables: AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID.