The Control Plane Terraform Provider Plugin enables the scaffolding of any Control Plane object as code using HCL. It enables infrastructure as code with all the added benefit of the global virtual cloud (GVC). You can build your VPCs, subnets, databases, queues, caches, etc. and overlay them with a multi-cloud/multi-region universal compute workloads that span regions and clouds. Nearly everything you can do using the Control Plane CLI, UI or API is available using Terraform.
Each header below (i.e., cpln_agent
) corresponds to a resource within the Control Plane Terraform provider.
Authenticate using one of the following methods:
cpln login
. After a successful login, the provider will use the default
profile to authenticate. To use a different profile, set the profile
variable when initializing the provider or set the CPLN_PROFILE
environment variable.token
variable can be set when initializing the provider or by setting the CPLN_TOKEN
environment variable.token
can be either:cpln profile token PROFILE_NAME
, orNote: To perform automated tasks using Terraform, the preferred method is to use a Service Account
and one of it's keys
as the token
value.
CPLN_ORG
environment variable.CPLN_ENDPOINT
environment variable.CPLN_PROFILE
environment variable.CPLN_TOKEN
environment variable.Note: If the token
value is empty, the Control Plane CLI (cpln) must be installed and the command cpln login
must be used to authenticate.
copyterraform {required_providers {cpln = {source = "controlplane-com/cpln"version = "1.0.3"}}}provider "cpln" {# Required# Can use CPLN_ORG Environment Variableorg = var.org# Optional# Default Value: https://api.cpln.io# Can use CPLN_ENDPOINT Environment Variableendpoint = var.endpoint# Optional# Can use CPLN_PROFILE Environment Variableprofile = var.profile# Optional# Can use CPLN_TOKEN Environment Variabletoken = var.token}
Support the creation of an Agent. Multiple agents can be created for an Org.
Agents allow secure communication between workloads running on the Control Plane platform and TCP endpoints inside private networks such as VPCs.
The following attributes are exported:
Note: The user_data
output value is only generated when the resource is created. Because of its sensitive nature, the user_data
value will not be displayed.
To use the user_data
output:
cpln_agent
output can either be directed to a file using the command terraform output -json > ./cpln_agent.json
, or, Only the user_data
value is required when configuring an agent, not the entire output.
Refer to this example in which
one of the steps creates an Agent at AWS using the user_data
output.
copyresource "cpln_agent" "example" {name = "agent-example"description = "Example Agent"tags = {terraform_generated = "true"example = "true"}}
Cloud Accounts enable Control Plane identities (workload identities) to define least-privilege access rules so that workloads can seamlessly consume resources from one or multiple clouds. The cpln_cloud_account
resource defines a cloud account of either AWS, Azure or GCP.
The configuration at the associated cloud provider must exist before using Terraform to manage a Cloud Account
.
Refer to the Cloud Account Reference Page for additional details.
Required:
Required:
Required:
The following attributes are exported:
copy# AWS Cloud Accountresource "cpln_cloud_account" "aws" {name = "cloud-account-aws"description = "AWS cloud account"tags = {terraform_generated = "true"example = "true"}aws {role_arn = "arn:aws:iam::1234:role/test_role"}}# Azure Cloud Accountresource "cpln_cloud_account" "azure" {name = "cloud-account-azure"description = "Azure cloud account "tags = {terraform_generated = "true"example = "true"}azure {// Use full linksecret_link = "/org/ORG_NAME/secret/AZURE_SECRET"}}# GCP Cloud Accountresource "cpln_cloud_account" "gcp" {name = "cloud-account-gcp"description = "GCP cloud account"tags = {terraform_generated = "true"example = "true"}gcp {project_id = "cpln_gcp_project_1234"}}
Manages an org's custom Domain.
The required DNS entries must exist before using Terraform to manage a Domain
.
Refer to the Configure a Domain page for additional details.
During the creation of a domain, Control Plane will verify that the DNS entries exists. If they do not exist, the Terraform script will fail.
The following attributes are exported:
copyresource "cpln_domain" "example" {name = "app.example.com"description = "Custom domain that can be set on a GVC and used by associated workloads"tags = {terraform_generated = "true"example = "true"}}
Manages an org's Groups.
Groups membership can contain users, service accounts, and custom queries.
description (String) Description of Group.
tags (Map of String) Key-value map of resource tags.
service_accounts (List of String) List of service accounts that exists within the configured org. Group membership will fail if the service account does not exits within the org.
user_ids_and_emails (List of String) List of either the user ID or email address for a user that exists within the configured org. Group membership will fail if the user ID / email does not exist within the org.
member_query (Block List, Max: 1) (see below).
Optional:
links
or items
. Default: items
.Optional:
all
, any
, none
. Default: all
.Terms can only contain one of the following attributes: property
, tag
.
Optional:
op (String) Type of query operation. Available values: =
, >
, >=
, <
, <=
, !=
, exists
, !exists
. Default: =
.
property (String) Property to use for query evaluation.
tag (String) Tag key to use for query evaluation.
value (String) Testing value for query evaluation.
The following attributes are exported:
builtin
or default
.copyresource "cpln_service_account" "example" {name = "service-account-example"description = "Service Account to be used as a member of a group"tags = {terraform_generated = "true"example = "true"}}resource "cpln_group" "example" {name = "group-example"description = "group description ${var.random-name}"tags = {terraform_generated = "true"example = "true"}user_ids_and_emails = ["valid_user@example.com"]service_accounts = [cpln_service_account.example.name]member_query {fetch = "items"spec {match = "all"terms {op = "="tag = "firebase/sign_in_provider"value = "microsoft.com"}}}}
Manages an org's Global Virtual Cloud (GVC).
The following attributes are exported:
copyresource "cpln_secret" "docker" {name = "docker-secret"description = "docker secret"tags = {terraform_generated = "true"acceptance_test = "true"secret_type = "docker"}docker = "{\"auths\":{\"your-registry-server\":{\"username\":\"your-name\",\"password\":\"your-pword\",\"email\":\"your-email\",\"auth\":\"<Secret>\"}}}"}resource "cpln_gvc" "example" {name = "gvc-example"description = "Example GVC"# Example Locations: `aws-eu-central-1`, `aws-us-west-2`, `azure-east2`, `gcp-us-east1`locations = ["aws-eu-central-1", "aws-us-west-2"]# domain = "app.example.com"pull_secrets = [cpln_secret.docker.name]tags = {terraform_generated = "true"example = "true"}}
Manages a GVC's Identities.
description (String) Description of the Identity.
tags (Map of String) Key-value map of resource tags.
aws_access_policy (Block List, Max: 1) (see below).
azure_access_policy (Block List, Max: 1) (see below).
gcp_access_policy (Block List, Max: 1) (see below).
network_resource (Block List) (see below).
Required:
Optional:
Note: AWS Identity can either contain an existing role_name
or multiple policy_refs
.
Optional:
Optional:
Note: The GCP access policy can either contain an existing service_account or multiple bindings.
cloud_account_link (String) Full link to referenced Cloud Account.
scopes (String) Comma delimited list of GCP scope URLs.
service_account (String) Name of existing GCP service account.
binding (Block List) (see below).
Optional:
A network resource can be configured with:
Required:
Optional:
fqdn (String) Fully qualified domain name.
resolver_ip (String) Resolver IP.
ips (Set of String) List of IP addresses.
ports (Set of Number) Ports to expose.
The following attributes are exported:
copyresource "cpln_gvc" "example" {name = "gvc-example"description = "Example GVC"locations = ["aws-us-west-2"]tags = {terraform_generated = "true"example = "true"}}resource "cpln_agent" "example" {name = "agent-example"description = "Example Agent"}resource "cpln_cloud_account" "example_aws" {name = "aws-example"description = "Example AWS Cloud Account"tags = {terraform_generated = "true"example = "true"}aws {role_arn = "arn:aws:iam::1234:role/example_role"}}resource "cpln_cloud_account" "example_azure" {name = "azure-example"description = "Example Azure Cloud Account"tags = {terraform_generated = "true"example = "true"}azure {// Use the full link to the Azure secretsecret_link = "/org/ORG_NAME/secret/AZURE_SECRET"}}resource "cpln_cloud_account" "example-gcp" {name = "gcp-example"description = "Example GCP Cloud Account"tags = {terraform_generated = "true"example = "true"}gcp {project_id = "cpln_gcp_project_1234"}}resource "cpln_identity" "example" {gvc = cpln_gvc.example.namename = "identity-example"description = "Example Identity"tags = {terraform_generated = "true"example = "true"}# Network Resource with FQDNnetwork_resource {name = "test-network-resource-fqdn"agent_link = cpln_agent.example.self_linkfqdn = "domain.example.com"ports = [1234, 5432]}# Network Resource with FQDN and Resolver IPnetwork_resource {name = "test-network-resource-fqdn-rip"agent_link = cpln_agent.example.self_linkfqdn = "domain2.example.com"resolver_ip = "192.168.1.1"ports = [12345, 54321]}# Network Resource with IPnetwork_resource {name = "test-network-resource-ip"agent_link = cpln_agent.test_agent.self_linkips = ["192.168.1.1", "192.168.1.250"]ports = [3099, 7890]}aws_access_policy {cloud_account_link = cpln_cloud_account.example_aws.self_link# The AWS access policy can either contain an existing role_name or multiple policy_refs// role_name = "rds-monitoring-role"policy_refs = ["aws::/job-function/SupportUser", "aws::AWSSupportAccess"]}azure_access_policy {cloud_account_link = cpln_cloud_account.example_azure.self_linkrole_assignment {scope = "/subscriptions/d0d1e522-0825-415a-8b07-f7759b5c8a7e/resourceGroups/CP-Test-Resource-Group"roles = ["AcrPull", "AcrPush"]}role_assignment {scope = "/subscriptions/d0d1e522-0825-415a-8b07-f7759b5c8a7e/resourceGroups/CP-Test-Resource-Group/providers/Microsoft.Storage/storageAccounts/cplntest"roles = ["Support Request Contributor"]}}gcp_access_policy {cloud_account_link = cpln_cloud_account.example_gcp.self_linkscopes = ["https://www.googleapis.com/auth/cloud-platform"]# The GCP access policy can either contain an existing service_account or multiple bindings// service_account = "cpln-tf@cpln-test.iam.gserviceaccount.com"binding {resource = "//cloudresourcemanager.googleapis.com/projects/cpln-test"roles = ["roles/appengine.appViewer", "roles/actions.Viewer"]}binding {resource = "//iam.googleapis.com/projects/cpln-test/serviceAccounts/cpln-tf@cpln-test.iam.gserviceaccount.com"roles = ["roles/editor", "roles/iam.serviceAccountUser"]}}}
Manages an org's Policy.
description (String) Description of the Policy.
tags (Map of String) Key-value map of resource tags.
target_kind (String) The kind of resource to target (e.g., gvc, serviceaccount, etc.).
target (String) Set this value of this attribute to all
if this policy should target all objects of the given target_kind. Otherwise, do not include the attribute.
target_links (List of String) List of the targets this policy will be applied to. Not used if target
is set to all
.
target_query (Block List, Max: 1) (see below).
binding (Block Set, Max: 50) (see below).
Optional:
group/GROUP_NAME
, user/USER_EMAIL
, gvc/GVC_NAME/identity/IDENTITY_NAME
, serviceaccount/SERVICE_ACCOUNT_NAME
.Optional:
links
or items
. Default: items
.Optional:
all
, any
, none
. Default: all
.Terms can only contain one of the following attributes: property
, tag
.
Optional:
op (String) Type of query operation. Available values: =
, >
, >=
, <
, <=
, !=
, exists
, !exists
. Default: =
.
property (String) Property to use for query evaluation.
tag (String) Tag key to use for query evaluation.
value (String) Testing value for query evaluation.
The following attributes are exported:
builtin
or default
.copyresource "cpln_service_account" "example" {name = "service-account-example"description = "Example Service Account"tags = {terraform_generated = "true"example = "true"}}resource "cpln_policy" "example" {name = "policy-example"description = "Example Policy"tags = {terraform_generated = "true"example = "true"}target_kind = "serviceaccount"# Policy can either target `all` or specific target links// target = "all"target_links = [cpln_service_account.example.name]target_query {spec {# match is either "all", "any", or "none"match = "all"terms {op = "="tag = "firebase/sign_in_provider"value = "microsoft.com"}}}binding {# Available permissions are based on the target kindpermissions = ["manage", "edit"]# Principal links format: `group/GROUP_NAME`, `user/USER_EMAIL`, `gvc/GVC_NAME/identity/IDENTITY_NAME`, `serviceaccount/SERVICE_ACCOUNT_NAME`principal_links = ["user/email@example.com", "group/viewers"]}}
Manage an org's Secrets.
Use caution when using sensitive values within an HCL script. Best practices should be followed (i.e., do not hard code sensitive values).
Terraform state can contain sensitive data. Please review Terraform's recommendations on how to handle sensitive data.
Note: Only one of the secrets listed below can be included in a resource. Create resources for each additional secret.
Optional:
Optional:
Optional:
Optional:
Optional:
plain
, base64
. Default: plain
.encoding
attribute to specify encoding. If
base64
is set as the encoding, the stored string will be decoded at runtime when referring to the secret using the .payload property.Optional:
Optional:
plain
, base64
. Default: plain
.The following attributes are exported:
copyvariable "random" {type = stringdefault = "secret-example"}# Sample Public Certificatevariable "testcert" {type = stringdefault = <<EOT-----BEGIN CERTIFICATE-----MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcxEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5pbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlvMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1UdDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qDwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdDu2ZCis/EwXsqRJPkIPnL-----END CERTIFICATE-----EOT}# Sample Private Certificatevariable "testcertprivate" {type = stringdefault = <<EOT-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/gZhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYDYjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6UwrFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198amspmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBfLzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCytvig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPrKY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJD/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oDLyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsTFGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QCHnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYonaH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTtgFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RRS1hFKnRRcrVqA+HjWnZ//BGi-----END PRIVATE KEY-----EOT}# Sample Private Keyvariable "test-secret-key" {type = stringdefault = <<EOT-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,9A26BB15304B18E7ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6LdIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBTgQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguHte2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbwuXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQyvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZYZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswmiW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBTC/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0WD7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOjVe0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWrWjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvhtxx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtWRyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv-----END RSA PRIVATE KEY-----EOT}# Sample Public Keyvariable "test-public-key" {type = stringdefault = <<EOT-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHivbaAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCOBhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22mXMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0ZrryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3XwIDAQAB-----END PUBLIC KEY-----EOT}# AWS Secretresource "cpln_secret" "aws" {name = "aws-${var.random}"description = "aws description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "aws"}aws {# Requiredsecret_key = "AKIAIOSFODNN7EXAMPLE"# Requiredaccess_key = "AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"# Optionalrole_arn = "arn:awskey"}}# Azure SDK Secretresource "cpln_secret" "azure_sdk" {name = "azuresdk-${var.random}"description = "azuresdk description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "azure-sdk"}# Requiredazure_sdk = "{\"subscriptionId\":\"2cd8674e-4f89-4a1f-b420-7a1361b46ef7\",\"tenantId\":\"292f5674-c8b0-488b-9ff8-6d30d77f38d9\",\"clientId\":\"649846ce-d862-49d5-a5eb-7d5aad90f54e\",\"clientSecret\":\"cpln\"}"}# Azure Connector Secretresource "cpln_secret" "azure_connector" {name = "azureconnector-${var.random}"description = "azureconnector description ${var.random}"tags = {terraform_generated = "true"acceptance_test = "true"secret_type = "azure-connector"}azure_connector {# Requiredurl = "https://example.azurewebsites.net/api/iam-broker"# Requiredcode = "iH0wQjWdAai3oE1C7XrC3t1BBaD7N7foapAylbMaR7HXOmGNYzM3QA=="}}# Docker Secretresource "cpln_secret" "docker" {name = "docker-${var.random}"description = "docker description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "docker"}# Requireddocker = "{\"auths\":{\"your-registry-server\":{\"username\":\"your-name\",\"password\":\"your-pword\",\"email\":\"your-email\",\"auth\":\"<Secret>\"}}}"}# Amazon ECR Secretresource "cpln_secret" "ecr" {name = "ecr-${var.random}"description = "ecr description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "ecr"}ecr {# Requiredsecret_key = "AKIAIOSFODNN7EXAMPLE"# Requiredaccess_key = "AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"# Optionalrole_arn = "arn:awskey"# Requiredrepos = ["915716931765.dkr.ecr.us-west-2.amazonaws.com/env-test", "015716931765.dkr.ecr.us-west-2.amazonaws.com/cpln-test"]}}# Dictionary Secretresource "cpln_secret" "dictionary" {name = "dictionary-${var.random}"description = "dictionary description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "dictionary"}dictionary = {key01 = "value-01"key02 = "value-02"}}# GCP Secretresource "cpln_secret" "gcp" {name = "gcp-${var.random}"description = "gcp description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "gcp"}# Requiredgcp = "{\"type\":\"gcp\",\"project_id\":\"cpln12345\",\"private_key_id\":\"pvt_key\",\"private_key\":\"key\",\"client_email\":\"support@cpln.io\",\"client_id\":\"12744\",\"auth_uri\":\"cloud.google.com\",\"token_uri\":\"token.cloud.google.com\",\"auth_provider_x509_cert_url\":\"cert.google.com\",\"client_x509_cert_url\":\"cert.google.com\"}"}# Keypair Secretresource "cpln_secret" "keypair" {name = "keypair-${var.random}"description = "keypair description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "keypair"}keypair {# Requiredsecret_key = var.test-secret-key# Optionalpublic_key = var.test-public-key# Optionalpassphrase = "cpln"}}# Opaque Secretresource "cpln_secret" "opaque" {name = "opaque-${var.random}"description = "opaque description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "opaque"}opaque {# Requiredpayload = "opaque_secret_payload"# Optional# Options: `plain` or `base64`encoding = "plain"}}# TLS Secretresource "cpln_secret" "tls" {name = "tls-${var.random}"description = "tls description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "tls"}tls {# Requiredkey = var.testcertprivate# Requiredcert = var.testcert# Optionalchain = var.testcert}}# Username/Password Secretresource "cpln_secret" "userpass" {name = "userpass-${var.random}"description = "userpass description ${var.random}"tags = {terraform_generated = "true"example = "true"secret_type = "userpass"}userpass {# Requiredusername = "cpln_username"# Requiredpassword = "cpln_password"# Optionalencoding = "plain"}}
Manages an org's Service Accounts.
The following attributes are exported:
builtin
or default
.copyresource "cpln_service_account" "example" {name = "service-account-example"description = "Example Service Account"tags = {terraform_generated = "true"example = "true"}}resource "cpln_service_account_key" "example" {service_account_name = cpln_service_account.example.namedescription = "Service Account Key"}resource "cpln_service_account_key" "example_02" {// When adding another key, use `depends_on` to add the keys synchronouslydepends_on = [cpln_service_account_key.example]service_account_name = cpln_service_account.example.namedescription = "Service Account Key #2"}output "key_01" {value = cpln_service_account_key.example.key}output "key_02" {value = cpln_service_account_key.example_02.key}
Manages an org's Service Account Keys.
Used in conjunction with a Service Account.
A key can only be created and deleted. Updates will fail.
The following attributes are exported:
copyresource "cpln_service_account" "example" {name = "service-account-example"description = "Example Service Account"tags = {terraform_generated = "true"example = "true"}}resource "cpln_service_account_key" "example" {service_account_name = cpln_service_account.example.namedescription = "Service Account Key"}resource "cpln_service_account_key" "example_02" {// When adding another key, use `depends_on` to add the keys synchronouslydepends_on = [cpln_service_account_key.example]service_account_name = cpln_service_account.example.namedescription = "Service Account Key #2"}output "key_01" {value = cpln_service_account_key.example.key}output "key_02" {value = cpln_service_account_key.example_02.key}
Manages a GVC's Workload.
description (String) Description of the Workload.
container (Block List) (see below).
firewall_spec (Block List, Max: 1) (see below).
identity_link (String) Full link to an Identity.
options (Block List, Max: 1) (see below).
local_options (Block List, Max: 1) (see below).
tags (Map of String) Key-value map of resource tags.
Note: A Workload must contain at least one container.
Required:
name (String) Name of the container.
cpln_
.image (String) The full image and tag path.
Optional:
80
. Max: 65535
.Note: The ports listed below are blocked and are not allowed to be used. Containers which attempt to use these ports will not be able to bind: 8012, 8022, 9090, 9091, 15000, 15001, 15006, 15020, 15021, 15090, 41000.
args (List of String) Command line arguments passed to the container at runtime.
env (Map of String) Name-Value list of environment variables.
command (String) Override the entry point.
cpu (String) Reserved CPU of the workload when capacityAI is disabled. Maximum CPU when CapacityAI is enabled. Default: "50m".
memory (String) Reserved memory of the workload when capacityAI is disabled. Maximum memory when CapacityAI is enabled. Default: "128Mi".
liveness_probe (Block List, Max: 1) Liveness Probe (see below).
readiness_probe (Block List, Max: 1) Readiness Probe (see below).
metrics (Block List, Max: 1) (see below) Reference Page.
volume (Block List) (see below) Reference Page.
working_directory (String) Override the working directory. Must be an absolute path.
Optional:
failure_threshold (Number) Failure Threshold. Default: 3. Min: 1. Max: 20.
initial_delay_seconds (Number) Initial Delay in seconds. Default: 0. Min: 0. Max: 120.
period_seconds (Number) Period Seconds. Default: 10. Min: 1. Max: 60.
success_threshold (Number) Success Threshold. Default: 1. Min: 1. Max: 20.
timeout_seconds (Number) Timeout in seconds. Default: 1. Min: 1. Max: 60.
exec (Block List, Max: 1) (see below).
http_get (Block List, Max: 1) (see below).
tcp_socket (Block List, Max: 1) (see below).
Required:
Optional:
80
. Max: 65535
.Optional:
Optional:
failure_threshold (Number) Failure Threshold. Default: 3. Min: 1. Max: 20.
initial_delay_seconds (Number) Initial Delay in seconds. Default: 0. Min: 0. Max: 120.
period_seconds (Number) Period Seconds. Default: 10. Min: 1. Max: 60.
success_threshold (Number) Success Threshold. Default: 1. Min: 1. Max: 20.
timeout_seconds (Number) Timeout in seconds. Default: 1. Min: 1. Max: 60.
exec (Block List, Max: 1) (see below).
http_get (Block List, Max: 1) (see below).
tcp_socket (Block List, Max: 1) (see below).
Required:
Optional:
80
. Max: 65535
.Optional:
Required:
Note: The following list of paths are reserved and cannot be used: /dev
, /dev/log
, /tmp
, /var
, /var/log
.
Required:
Control of inbound and outbound access to the workload for external (public) and internal (service to service) traffic. Access is restricted by default.
Optional:
Optional:
*
is allowed on the prefix of the hostname only, ex: *.amazonaws.com
. Use outboundAllowCIDR
to allow access to all external websites.The internal firewall is used to control access between workloads.
Optional:
inbound_allow_type (String) Used to control the internal firewall configuration and mutual tls. Allowed Values: "none", "same-gvc", "same-org", "workload-list".
inbound_allow_workload (List of String) A list of specific workloads which are allowed to access this workload internally. This list is only used if the 'inboundAllowType' is set to 'workload-list'.
Optional:
autoscaling (Block List, Max: 1) (see below).
capacity_ai (Boolean) Capacity AI. Default: true
.
debug (Boolean) Debug mode. Default: false
spot (Boolean) Spot instance. Default; true
.
timeout_seconds (Number) Timeout in seconds. Default: 5
.
location (String) Valid only for local_options
. Local options override for a specific location.
Optional:
concurrency
, cpu
, rps
. Default: concurrency
.0
. Max: 1000
. Default 0
.0
. Default 5
.0
. Max: max_scale
. Default 1
.30
. Max: 3600
. Default: 300
.0
. Max: 20000
. Default: 100
.Status of the workload.
Read-Only:
Current health status.
Read-Only:
The following attributes are exported:
copyresource "cpln_gvc" "example" {name = "gvc-example"description = "Example GVC"locations = ["aws-eu-central-1", "aws-us-west-2"]tags = {terraform_generated = "true"example = "true"}}resource "cpln_identity" "example" {gvc = cpln_gvc.example.namename = "identity-example"description = "Example Identity"tags = {terraform_generated = "true"example = "true"}}resource "cpln_workload" "new" {gvc = cpln_gvc.example.namename = "workload-example"description = "Example Workload"tags = {terraform_generated = "true"example = "true"}identity_link = cpln_identity.example.self_linkcontainer {name = "container-01"image = "gcr.io/knative-samples/helloworld-go"port = 8080memory = "128Mi"cpu = "50m"command = "override-command"working_directory = "/usr"env = {env-name-01 = "env-value-01",env-name-02 = "env-value-02",}args = ["arg-01", "arg-02"]readiness_probe {tcp_socket {port = 8181}period_seconds = 11timeout_seconds = 2failure_threshold = 4success_threshold = 2initial_delay_seconds = 1}liveness_probe {http_get {path = "/path"port = 8282scheme = "HTTPS"http_headers = {header-name-01 = "header-value-01"header-name-02 = "header-value-02"}}period_seconds = 10timeout_seconds = 3failure_threshold = 5success_threshold = 1initial_delay_seconds = 2}volume {uri = "s3://bucket"path = "/s3"}}options {capacity_ai = falsespot = truetimeout_seconds = 30autoscaling {metric = "concurrency"target = 100max_scale = 3min_scale = 2max_concurrency = 500}}local_options {location = "aws-us-west-2"capacity_ai = falsespot = truetimeout_seconds = 30autoscaling {metric = "concurrency"target = 100max_scale = 3min_scale = 2max_concurrency = 500}}firewall_spec {external {inbound_allow_cidr = ["0.0.0.0/0"]outbound_allow_cidr = []outbound_allow_hostname = ["*.controlplane.com", "*.cpln.io"]}internal {# Allowed Types: "none", "same-gvc", "same-org", "workload-list"inbound_allow_type = "none"inbound_allow_workload = []}}}
Output the ID and name of the current org.
The following attributes are exported:
copydata "cpln_org" "org" {}output "org_id" {value = data.cpln_org.org.id}output "org_name" {value = data.cpln_org.org.name}
Use this data source to access information about an existing Global Virtual Cloud (GVC) within Control Plane.
The following attributes are exported:
copydata "cpln_gvc" "gvc" {}output "gvc_id" {value = data.cpln_gvc.gvc.id}output "gvc_locations" {value = data.cpln_gvc.gvc.locations}
Use this data source to access information about a Location within Control Plane.
aws-us-west-2
).The following attributes are exported:
copydata "cpln_location" "location" {name = "aws-us-west-2"}output "location" {value = data.cpln_location.location}output "location_enabled" {value = data.cpln_location.location.enabled}
Use this data source to access information about all Locations within Control Plane.
The following attributes are exported:
copydata "cpln_locations" "locations" { }output "locations" {value = data.cpln_location.locations.locations}