Background

Configuration for a Terraform backend often contains credentials. The Terraform integration should leverage AAP's builtin credentials functionality to allow for easy reuse of backend configs in a secure manner. Create a new Terraform credentials plugin type for AAP.

The credential type should allow an administrator to add a terraform backend config as hcl. The temporary file should be injected into the playbook runtime so that it can be used with the backend_config_files parameter in the cloud.terraform module.

It should also be possible to combine this with existing credential types like AWS. In this way, an administrator could create a terraform credential that contains information like the region, s3 bucket name and dynamodb table name, and then create an AWS credential that contains the access key, secret key and session token. A job template can use both of these to fully configure terraform to access an s3 backend.

An example of the kind of functionality we are looking for here is outlined in https://www.ansible.com/blog/monitoring-red-hat-ansible-automation-platform-on-red-hat-openshift-the-easy-way, except that a custom terraform credential type should already exist.

Definition of Done

• A Terraform credential type exists in AWX (https://github.com/gravesm/awx)
• A brief demo has been recorded showing the use of this new credential type, along with the use of the AWS credential type, to manage an AWS resource with cloud.terraform.