The Terraform AWS provider is a plugin that enables seamless integration between Terraform and the Amazon Web Services (AWS) cloud platform. It allows users to define, provision, and manage AWS resources using Terraform’s declarative configuration language. This year, we reached the 10th anniversary of the Terraform AWS provider, crossed three billion downloads, and launched the AWS Cloud Control API provider. Developers always want to use new AWS services faster with Terraform and in this blog we will cover new launch-day support for AWS services just announced at re:Invent, and how developers can access more services faster with the AWS Cloud Control provider.
In partnership with Amazon Web Services (AWS), we are excited to announce launch-day support for a variety of new features across a number of AWS services in the HashiCorp Terraform AWS provider. These new features span S3, S3 Express, EKS, ECS, etc. These new features include:
- S3 Tables: Iceberg on top of S3
- Amazon S3 Express One Zone: S3 Lifecycle expirations
- ECS: VPC Lattice
- ECS: Service AZ rebalancing
- EKS: Hybrid Nodes
- EKS: Auto Mode
»S3 Tables: Iceberg on top of S3
Amazon S3 Tables deliver S3 storage that’s specifically optimized for analytics workloads, improving query performance while also reducing costs. S3 Tables have built-in support for the Apache Iceberg standard, which allows you to easily query tabular data in S3 using popular query engines like Apache Spark. Customers can use S3 Tables to store tabular data such as daily purchase transactions, streaming sensor data, or ad impressions as an Iceberg table in Amazon S3, and then interact with that data using analytics capabilities such as row-level transactions, queryable table snapshots, and more, all managed by Amazon S3. Additionally, Table Buckets perform continuous table maintenance to automatically optimize query efficiency over time as your data lake scales and evolves.
»Configuring S3 Tables in the Terraform AWS provider
To set up S3 Tables in the Terraform AWS provider, use the new aws_s3tables_table_bucket resource. You also need to use the existing resources to manage the new S3 Tables feature:
resource "aws_s3tables_table_bucket" "example" {
name = "example-bucket"
}
resource "aws_s3tables_table_bucket_policy" "example" {
resource_policy = data.aws_iam_policy_document.table_bucket.json
table_bucket_arn = aws_s3tables_table_bucket.example.arn
}
data "aws_iam_policy_document" "table_bucket" {
statement {
actions = ["s3tables:*"]
principals {
type = "AWS"
identifiers = [data.aws_caller_identity.current.account_id]
}
resources = ["${aws_s3tables_table_bucket.example.arn}/*"]
}
}
resource "aws_s3tables_namespace" "example" {
namespace = "example-namespace"
table_bucket_arn = aws_s3tables_table_bucket.example.arn
}
resource "aws_s3tables_table" "example" {
name = "example-table"
namespace = aws_s3tables_namespace.example
table_bucket_arn = aws_s3tables_namespace.example.table_bucket_arn
format = "ICEBERG"
}
resource "aws_s3tables_table_policy" "example" {
resource_policy = data.aws_iam_policy_document.table.json
name = aws_s3tables_table.example.name
namespace = aws_s3tables_table.example.namespace
table_bucket_arn = aws_s3tables_table.example.table_bucket_arn
}
data "aws_iam_policy_document" "table" {
statement {
actions = ["s3tables:*"]
principals {
type = "AWS"
identifiers = [data.aws_caller_identity.current.account_id]
}
resources = ["${aws_s3tables_table.example.arn}"]
}
}
data "aws_caller_identity" "current" {}
»EKS Hybrid Nodes
Amazon EKS Hybrid Nodes (EKS-H) brings a fully managed, cloud-consistent Kubernetes experience to customers, simplifying hybrid application delivery and standardizing operational practices across on-premises, edge, and cloud environments. With Amazon EKS, customers can use the same console, APIs, and tools they use when running workloads on AWS infrastructure. The Amazon EKS Hybrid Nodes release builds on the success of EKS by significantly simplifying the on-premises use case.
»Configuring EKS Hybrid Nodes in the Terraform AWS provider
To set up EKS Hybrid Nodes in the Terraform AWS provider, use the existing aws_eks_cluster resource.
»New AWS ephemeral resources
Terraform’s management of infrastructure involves handling secrets, such as private keys, certifications, API tokens, etc. As an example, a data source may be used to fetch a secret and write it to a managed resource’s attribute. Or a secret may be generated by a resource type (e.g. a random password) and written to another resource type like a dedicated secrets manager.
Today, these secrets persist in the plan or state file. Since the secrets are stored in plain text within these artifacts, any mismanaged access to the files would compromise the secrets. We’ve been working on a feature to improve the security of this workflow, and it’s now ready for Terraform 1.10.
To enable secure handling of secrets, we’re introducing ephemeral values. These values are not stored in any artifact. Not the plan file, nor the statefile. They are not expected to remain consistent from plan to apply, or from one plan/apply round to the next.
Within the Terraform 1.10 launch, we included three new ephemeral resources in v5.77.0 of the AWS provider:
»Configuring ephemeral resources in the Terraform AWS provider
AWS Secrets Manager can contain sensitive data such as usernames and passwords for critical infrastructure. The aws_secretsmanager_secret_version allows practitioners to retrieve these values while not writing them to state.
resource "aws_secretsmanager_secret" "example" {
name = “example”
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = “example-secret”
}
ephemeral "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
version_id = aws_secretsmanager_secret_version.example.version_id
}
output “secret_string” {
value = ephemera.aws_secretsmanager_secret_version.example.secret_string
ephemeral = true
}
»Faster service support with the AWS Cloud Control provider
The AWS Cloud Control (AWSCC) provider, built around the AWS Cloud Control API and designed to bring new services to HashiCorp Terraform faster, is generally available. The 1.0 release of the AWSCC provider represents another step forward in our effort to offer launch day support of AWS services. This provider is automatically generated based on the Cloud Control API published by AWS, which means the latest features and services on AWS can be supported right away.
Terraform users managing infrastructure on Amazon Web Services can typically use this provider alongside the existing AWS provider. Given its ability to automatically support new features and services, this AWSCC provider will increase the resource coverage and significantly reduce the time it takes to support new capabilities. AWS and HashiCorp will continue to deliver high-quality, consistent releases to both the AWS and AWSCC providers.
»Learn more about AWS and HashiCorp
To learn the basics of Terraform using the AWS provider, follow the hands-on tutorials for getting started with Terraform on AWS on our developer education platform.
If you are completely new to Terraform, sign up for Terraform Cloud and get started using the Free offering today.
