Terraform
The Terraform adapter stages a module, copies it to the runner, runs Terraform, captures outputs, and preserves local Terraform state artifacts when the module does not define its own backend.
Capabilities
Section titled “Capabilities”Required runner capabilities:
| Capability | Why it is required |
|---|---|
Exec | Runs Terraform commands on the runner. |
FileCopy | Copies modules, with-files, and Terraform state artifacts. |
The runner must have Terraform available.
Sources
Section titled “Sources”Supported source modes:
| Source mode | Supported | Behavior |
|---|---|---|
embedded | Yes | Written into a local staged module and copied to the runner. |
path | Yes | Directory path to the Terraform module. |
files | No | Not currently supported by the Terraform adapter. |
Example:
components: infra: type: terraform runner: local source: path: ./infraThe adapter excludes .terraform, terraform.tfstate, and terraform.tfstate.backup when staging a module for copy.
Config
Section titled “Config”| Field | Type | Default | Description |
|---|---|---|---|
vars | map of strings | {} | Terraform variable values passed with repeated -var key=value arguments. |
Example:
config: vars: region: eu-central-1 instance_type: t3.microIf a Terraform variable has no default and is not present in vars, Orch checks for an environment variable with the same name and uses that value. If no value is found, Orch emits a warning.
Environment
Section titled “Environment”Component env values are passed to:
terraform initterraform applyterraform output -jsonterraform destroy
Use env for provider environment variables when needed, but prefer ambient runner authentication where possible.
Outputs
Section titled “Outputs”Terraform outputs are captured from:
terraform output -jsonTerraform outputs marked sensitive by Terraform are ignored by Orch and are not persisted in Orch state.
Non-sensitive Terraform outputs must still be declared in the component outputs list to be available for interpolation:
outputs: - name: urlOutput values are converted to strings. Scalar values, lists, and maps are stringified by Orch’s output conversion helpers.
State Artifacts
Section titled “State Artifacts”If the module does not define a Terraform backend block, Orch captures local Terraform state artifacts after apply:
| Artifact | Required | Sensitive | Description |
|---|---|---|---|
terraform.tfstate | Yes | Yes | Required local Terraform state used for destroy. |
terraform.tfstate.backup | No | Yes | Backup state file when present. |
.terraform.lock.hcl | No | No | Provider lock file. |
Before destroy, Orch restores captured artifacts to the component workdir.
If the module defines a backend block, Orch treats Terraform as owning its own remote state and skips local state artifact capture.
Apply Behavior
Section titled “Apply Behavior”Apply does the following:
- Copies
withfiles to the runner workdir. - Stages and copies the Terraform module to the runner.
- Runs
terraform init -upgrade. - Runs
terraform apply -auto-approve, appending configuredvars. - Runs
terraform output -jsonand captures non-sensitive outputs. - Stores vars and workdir in component state.
- Captures local Terraform artifacts when no Terraform backend is configured.
Destroy Behavior
Section titled “Destroy Behavior”Destroy does the following:
- Restores captured artifacts when they exist.
- Re-stages and copies the Terraform module to the runner.
- Runs
terraform init -upgrade. - Runs
terraform destroy -auto-approve, appending vars captured in state.
Destroy uses the component environment from the current manifest and the Terraform vars captured at apply time.