HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Python: Structs

AppConfig

Initializer 

import cdktf

cdktf.AppConfig(
  context: typing.Mapping[typing.Any] = None,
  hcl_output: bool = None,
  outdir: str = None,
  skip_backend_validation: bool = None,
  skip_validation: bool = None,
  stack_traces: bool = None
)

Properties

NameTypeDescription
contexttyping.Mapping[typing.Any]Additional context values for the application.
hcl_outputboolNo description.
outdirstrThe directory to output Terraform resources.
skip_backend_validationboolWhether to skip backend validation during synthesis of the app.
skip_validationboolWhether to skip all validations during synthesis of the app.
stack_tracesboolNo description.
contextOptional 
context: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
  • Default: no additional context

Additional context values for the application.

Context set by the CLI or the context key in cdktf.json has precedence.

Context can be read from any construct using node.getContext(key).

hcl_outputOptional 
hcl_output: bool
  • Type: bool
outdirOptional 
outdir: str
  • Type: str
  • Default: CDKTF_OUTDIR if defined, otherwise "cdktf.out"

The directory to output Terraform resources.

If you are using the CDKTF CLI, this value is automatically set from one of the following three sources:

  • The -o / --output CLI option
  • The CDKTF_OUTDIR environment variable
  • The outdir key in cdktf.json

If you are using the CDKTF CLI and want to set a different value here, you will also need to set the same value via one of the three ways specified above.

The most common case to set this value is when you are using the CDKTF library directly (e.g. when writing unit tests).

skip_backend_validationOptional 
skip_backend_validation: bool
  • Type: bool
  • Default: false

Whether to skip backend validation during synthesis of the app.

skip_validationOptional 
skip_validation: bool
  • Type: bool
  • Default: false

Whether to skip all validations during synthesis of the app.

stack_tracesOptional 
stack_traces: bool
  • Type: bool

AzurermBackendConfig

Stores the state as a Blob with the given Key within the Blob Container within the Blob Storage Account.

This backend supports state locking and consistency checking with Azure Blob Storage native capabilities.

Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph to true. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/azurerm

Initializer 

import cdktf

cdktf.AzurermBackendConfig(
  container_name: str,
  key: str,
  storage_account_name: str,
  access_key: str = None,
  client_certificate_password: str = None,
  client_certificate_path: str = None,
  client_id: str = None,
  client_secret: str = None,
  endpoint: str = None,
  environment: str = None,
  metadata_host: str = None,
  msi_endpoint: str = None,
  oidc_request_token: str = None,
  oidc_request_url: str = None,
  oidc_token: str = None,
  oidc_token_file_path: str = None,
  resource_group_name: str = None,
  sas_token: str = None,
  snapshot: bool = None,
  subscription_id: str = None,
  tenant_id: str = None,
  use_azuread_auth: bool = None,
  use_microsoft_graph: bool = None,
  use_msi: bool = None,
  use_oidc: bool = None
)

Properties

NameTypeDescription
container_namestr(Required) The Name of the Storage Container within the Storage Account.
keystr(Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.
storage_account_namestr(Required) The Name of the Storage Account.
access_keystraccess_key - (Optional) The Access Key used to access the Blob Storage Account.
client_certificate_passwordstr(Optional) The password associated with the Client Certificate specified in client_certificate_path.
client_certificate_pathstr(Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal.
client_idstr(Optional) The Client ID of the Service Principal.
client_secretstr(Optional) The Client Secret of the Service Principal.
endpointstr(Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the ARM_ENDPOINT environment variable.
environmentstr(Optional) The Azure Environment which should be used.
metadata_hoststr(Optional) The Hostname of the Azure Metadata Service (for example management.azure.com), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the ARM_METADATA_HOSTNAME Environment Variable.).
msi_endpointstr(Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified.
oidc_request_tokenstr(Optional) The bearer token for the request to the OIDC provider.
oidc_request_urlstr(Optional) The URL for the OIDC provider from which to request an ID token.
oidc_tokenstr(Optional) The ID token when authenticating using OpenID Connect (OIDC).
oidc_token_file_pathstr(Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC).
resource_group_namestr(Required) The Name of the Resource Group in which the Storage Account exists.
sas_tokenstr(Optional) The SAS Token used to access the Blob Storage Account.
snapshotbool(Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use?
subscription_idstr(Optional) The Subscription ID in which the Storage Account exists.
tenant_idstr(Optional) The Tenant ID in which the Subscription exists.
use_azuread_authbool(Optional) Should AzureAD Authentication be used to access the Blob Storage Account.
use_microsoft_graphbool(Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph?
use_msibool(Optional) Should Managed Service Identity authentication be used?
use_oidcbool(Optional) Should OIDC authentication be used? This can also be sourced from the ARM_USE_OIDC environment variable.
container_nameRequired 
container_name: str
  • Type: str

(Required) The Name of the Storage Container within the Storage Account.

keyRequired 
key: str
  • Type: str

(Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.

storage_account_nameRequired 
storage_account_name: str
  • Type: str

(Required) The Name of the Storage Account.

access_keyOptional 
access_key: str
  • Type: str

access_key - (Optional) The Access Key used to access the Blob Storage Account.

This can also be sourced from the ARM_ACCESS_KEY environment variable.

client_certificate_passwordOptional 
client_certificate_password: str
  • Type: str

(Optional) The password associated with the Client Certificate specified in client_certificate_path.

This can also be sourced from the ARM_CLIENT_CERTIFICATE_PASSWORD environment variable.

client_certificate_pathOptional 
client_certificate_path: str
  • Type: str

(Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal.

This can also be sourced from the ARM_CLIENT_CERTIFICATE_PATH environment variable.

client_idOptional 
client_id: str
  • Type: str

(Optional) The Client ID of the Service Principal.

This can also be sourced from the ARM_CLIENT_ID environment variable.

client_secretOptional 
client_secret: str
  • Type: str

(Optional) The Client Secret of the Service Principal.

This can also be sourced from the ARM_CLIENT_SECRET environment variable.

endpointOptional 
endpoint: str
  • Type: str

(Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the ARM_ENDPOINT environment variable.

NOTE: An endpoint should only be configured when using Azure Stack.

environmentOptional 
environment: str
  • Type: str

(Optional) The Azure Environment which should be used.

This can also be sourced from the ARM_ENVIRONMENT environment variable. Possible values are public, china, german, stack and usgovernment. Defaults to public.

metadata_hostOptional 
metadata_host: str
  • Type: str

(Optional) The Hostname of the Azure Metadata Service (for example management.azure.com), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the ARM_METADATA_HOSTNAME Environment Variable.).

msi_endpointOptional 
msi_endpoint: str
  • Type: str

(Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified.

This can also be sourced from the ARM_MSI_ENDPOINT environment variable.

oidc_request_tokenOptional 
oidc_request_token: str
  • Type: str

(Optional) The bearer token for the request to the OIDC provider.

This can also be sourced from the ARM_OIDC_REQUEST_TOKEN or ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables.

oidc_request_urlOptional 
oidc_request_url: str
  • Type: str

(Optional) The URL for the OIDC provider from which to request an ID token.

This can also be sourced from the ARM_OIDC_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_URL environment variables.

oidc_tokenOptional 
oidc_token: str
  • Type: str

(Optional) The ID token when authenticating using OpenID Connect (OIDC).

This can also be sourced from the ARM_OIDC_TOKEN environment variable.

oidc_token_file_pathOptional 
oidc_token_file_path: str
  • Type: str

(Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC).

This can also be sourced from the ARM_OIDC_TOKEN_FILE_PATH environment variable.

resource_group_nameOptional 
resource_group_name: str
  • Type: str

(Required) The Name of the Resource Group in which the Storage Account exists.

sas_tokenOptional 
sas_token: str
  • Type: str

(Optional) The SAS Token used to access the Blob Storage Account.

This can also be sourced from the ARM_SAS_TOKEN environment variable.

snapshotOptional 
snapshot: bool
  • Type: bool

(Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use?

Defaults to false. This value can also be sourced from the ARM_SNAPSHOT environment variable.

subscription_idOptional 
subscription_id: str
  • Type: str

(Optional) The Subscription ID in which the Storage Account exists.

This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable.

tenant_idOptional 
tenant_id: str
  • Type: str

(Optional) The Tenant ID in which the Subscription exists.

This can also be sourced from the ARM_TENANT_ID environment variable.

use_azuread_authOptional 
use_azuread_auth: bool
  • Type: bool

(Optional) Should AzureAD Authentication be used to access the Blob Storage Account.

This can also be sourced from the ARM_USE_AZUREAD environment variable.

Note: When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner role is assigned.

use_microsoft_graphOptional 
use_microsoft_graph: bool
  • Type: bool

(Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph?

Defaults to true.

Note: In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting use_microsoft_graph to false. This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL.

use_msiOptional 
use_msi: bool
  • Type: bool

(Optional) Should Managed Service Identity authentication be used?

This can also be sourced from the ARM_USE_MSI environment variable.

use_oidcOptional 
use_oidc: bool
  • Type: bool

(Optional) Should OIDC authentication be used? This can also be sourced from the ARM_USE_OIDC environment variable.

Note: When using OIDC for authentication, use_microsoft_graph must be set to true (which is the default).

CloudBackendConfig

The Cloud Backend synthesizes a {@link https://developer.hashicorp.com/terraform/cli/cloud/settings#the-cloud-block cloud block}. The cloud block is a nested block within the top-level terraform settings block. It specifies which Terraform Cloud workspaces to use for the current working directory. The cloud block only affects Terraform CLI's behavior. When Terraform Cloud uses a configuration that contains a cloud block - for example, when a workspace is configured to use a VCS provider directly - it ignores the block and behaves according to its own workspace settings.

https://developer.hashicorp.com/terraform/cli/cloud/settings#arguments

Initializer 

import cdktf

cdktf.CloudBackendConfig(
  organization: str,
  workspaces: typing.Union[NamedCloudWorkspace, TaggedCloudWorkspaces],
  hostname: str = None,
  token: str = None
)

Properties

NameTypeDescription
organizationstrThe name of the organization containing the workspace(s) the current configuration should use.
workspacestyping.Union[NamedCloudWorkspace, TaggedCloudWorkspaces]A nested block that specifies which remote Terraform Cloud workspaces to use for the current configuration.
hostnamestrThe hostname of a Terraform Enterprise installation, if using Terraform Enterprise.
tokenstrThe token used to authenticate with Terraform Cloud.
organizationRequired 
organization: str
  • Type: str

The name of the organization containing the workspace(s) the current configuration should use.

workspacesRequired 
workspaces: typing.Union[NamedCloudWorkspace, TaggedCloudWorkspaces]

A nested block that specifies which remote Terraform Cloud workspaces to use for the current configuration.

The workspaces block must contain exactly one of the following arguments, each denoting a strategy for how workspaces should be mapped:

hostnameOptional 
hostname: str
  • Type: str
  • Default: app.terraform.io

The hostname of a Terraform Enterprise installation, if using Terraform Enterprise.

tokenOptional 
token: str
  • Type: str

The token used to authenticate with Terraform Cloud.

We recommend omitting the token from the configuration, and instead using terraform login or manually configuring credentials in the CLI config file.

ConsulBackendConfig

Stores the state in the Consul KV store at a given path. This backend supports state locking.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/consul

Initializer 

import cdktf

cdktf.ConsulBackendConfig(
  access_token: str,
  path: str,
  address: str = None,
  ca_file: str = None,
  cert_file: str = None,
  datacenter: str = None,
  gzip: bool = None,
  http_auth: str = None,
  key_file: str = None,
  lock: bool = None,
  scheme: str = None
)

Properties

NameTypeDescription
access_tokenstr(Required) Access token.
pathstr(Required) Path in the Consul KV store.
addressstr(Optional) DNS name and port of your Consul endpoint specified in the format dnsname:port.
ca_filestr(Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.
cert_filestr(Optional) A path to a PEM-encoded certificate provided to the remote agent;
datacenterstr(Optional) The datacenter to use.
gzipbool(Optional) true to compress the state data using gzip, or false (the default) to leave it uncompressed.
http_authstr(Optional) HTTP Basic Authentication credentials to be used when communicating with Consul, in the format of either user or user:pass.
key_filestr(Optional) A path to a PEM-encoded private key, required if cert_file is specified.
lockbool(Optional) false to disable locking.
schemestr(Optional) Specifies what protocol to use when talking to the given address,either http or https.
access_tokenRequired 
access_token: str
  • Type: str

(Required) Access token.

pathRequired 
path: str
  • Type: str

(Required) Path in the Consul KV store.

addressOptional 
address: str
  • Type: str

(Optional) DNS name and port of your Consul endpoint specified in the format dnsname:port.

Defaults to the local agent HTTP listener.

ca_fileOptional 
ca_file: str
  • Type: str

(Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.

cert_fileOptional 
cert_file: str
  • Type: str

(Optional) A path to a PEM-encoded certificate provided to the remote agent;

requires use of key_file.

datacenterOptional 
datacenter: str
  • Type: str

(Optional) The datacenter to use.

Defaults to that of the agent.

gzipOptional 
gzip: bool
  • Type: bool

(Optional) true to compress the state data using gzip, or false (the default) to leave it uncompressed.

http_authOptional 
http_auth: str
  • Type: str

(Optional) HTTP Basic Authentication credentials to be used when communicating with Consul, in the format of either user or user:pass.

key_fileOptional 
key_file: str
  • Type: str

(Optional) A path to a PEM-encoded private key, required if cert_file is specified.

lockOptional 
lock: bool
  • Type: bool

(Optional) false to disable locking.

This defaults to true, but will require session permissions with Consul and at least kv write permissions on $path/.lock to perform locking.

schemeOptional 
scheme: str
  • Type: str

(Optional) Specifies what protocol to use when talking to the given address,either http or https.

SSL support can also be triggered by setting then environment variable CONSUL_HTTP_SSL to true.

CosBackendAssumeRole

Initializer 

import cdktf

cdktf.CosBackendAssumeRole(
  role_arn: str,
  session_duration: typing.Union[int, float],
  session_name: str,
  policy: typing.Any = None
)

Properties

NameTypeDescription
role_arnstr(Required) The ARN of the role to assume.
session_durationtyping.Union[int, float](Required) The duration of the session when making the AssumeRole call.
session_namestr(Required) The session name to use when making the AssumeRole call.
policytyping.Any(Optional) A more restrictive policy when making the AssumeRole call.
role_arnRequired 
role_arn: str
  • Type: str

(Required) The ARN of the role to assume.

It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_ARN.

session_durationRequired 
session_duration: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Required) The duration of the session when making the AssumeRole call.

Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION.

session_nameRequired 
session_name: str
  • Type: str

(Required) The session name to use when making the AssumeRole call.

It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME.

policyOptional 
policy: typing.Any
  • Type: typing.Any

(Optional) A more restrictive policy when making the AssumeRole call.

Its content must not contains principal elements. Please refer to {@link https://www.tencentcloud.com/document/product/598/10603 policies syntax logic}.

CosBackendConfig

Stores the state as an object in a configurable prefix in a given bucket on Tencent Cloud Object Storage (COS).

This backend supports state locking.

Warning! It is highly recommended that you enable Object Versioning on the COS bucket to allow for state recovery in the case of accidental deletions and human error.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/cos

Initializer 

import cdktf

cdktf.CosBackendConfig(
  bucket: str,
  accelerate: bool = None,
  acl: str = None,
  assume_role: CosBackendAssumeRole = None,
  domain: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  key: str = None,
  prefix: str = None,
  region: str = None,
  secret_id: str = None,
  secret_key: str = None,
  security_token: str = None
)

Properties

NameTypeDescription
bucketstr(Required) The name of the COS bucket.
acceleratebool(Optional) Whether to enable global Acceleration.
aclstr(Optional) Object ACL to be applied to the state file, allows private and public-read.
assume_roleCosBackendAssumeRole(Optional) The assume_role block.
domainstr(Optional) The root domain of the API request.
encryptbool(Optional) Whether to enable server side encryption of the state file.
endpointstr(Optional) The Custom Endpoint for the COS backend.
keystr(Optional) The path for saving the state file in bucket.
prefixstr(Optional) The directory for saving the state file in bucket.
regionstr(Optional) The region of the COS bucket.
secret_idstr(Optional) Secret id of Tencent Cloud.
secret_keystr(Optional) Secret key of Tencent Cloud.
security_tokenstr(Optional) TencentCloud Security Token of temporary access credentials.
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the COS bucket.

You shall manually create it first.

accelerateOptional 
accelerate: bool
  • Type: bool

(Optional) Whether to enable global Acceleration.

Defaults to false.

aclOptional 
acl: str
  • Type: str

(Optional) Object ACL to be applied to the state file, allows private and public-read.

Defaults to private.

assume_roleOptional 
assume_role: CosBackendAssumeRole

(Optional) The assume_role block.

If provided, terraform will attempt to assume this role using the supplied credentials.

domainOptional 
domain: str
  • Type: str

(Optional) The root domain of the API request.

Defaults to tencentcloudapi.com. It supports the environment variable TENCENTCLOUD_DOMAIN.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Whether to enable server side encryption of the state file.

If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.

endpointOptional 
endpoint: str
  • Type: str

(Optional) The Custom Endpoint for the COS backend.

It supports the environment variable TENCENTCLOUD_ENDPOINT.

keyOptional 
key: str
  • Type: str

(Optional) The path for saving the state file in bucket.

Defaults to terraform.tfstate.

prefixOptional 
prefix: str
  • Type: str

(Optional) The directory for saving the state file in bucket.

Default to "env:".

regionOptional 
region: str
  • Type: str

(Optional) The region of the COS bucket.

It supports environment variables TENCENTCLOUD_REGION.

secret_idOptional 
secret_id: str
  • Type: str

(Optional) Secret id of Tencent Cloud.

It supports environment variables TENCENTCLOUD_SECRET_ID.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) Secret key of Tencent Cloud.

It supports environment variables TENCENTCLOUD_SECRET_KEY.

security_tokenOptional 
security_token: str
  • Type: str

(Optional) TencentCloud Security Token of temporary access credentials.

It supports environment variables TENCENTCLOUD_SECURITY_TOKEN.

DataConfig

Initializer 

import cdktf

cdktf.DataConfig(
  connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection] = None,
  count: typing.Union[typing.Union[int, float], TerraformCount] = None,
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  lifecycle: TerraformResourceLifecycle = None,
  provider: TerraformProvider = None,
  provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]] = None,
  input: typing.Mapping[typing.Any] = None,
  triggers_replace: typing.Mapping[typing.Any] = None
)

Properties

NameTypeDescription
connectiontyping.Union[SSHProvisionerConnection, WinrmProvisionerConnection]No description.
counttyping.Union[typing.Union[int, float], TerraformCount]No description.
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
lifecycleTerraformResourceLifecycleNo description.
providerTerraformProviderNo description.
provisionerstyping.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]No description.
inputtyping.Mapping[typing.Any](Optional) A value which will be stored in the instance state, and reflected in the output attribute after apply.
triggers_replacetyping.Mapping[typing.Any](Optional) A value which is stored in the instance state, and will force replacement when the value changes.
connectionOptional 
connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection]
countOptional 
count: typing.Union[typing.Union[int, float], TerraformCount]
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
lifecycleOptional 
lifecycle: TerraformResourceLifecycle
providerOptional 
provider: TerraformProvider
provisionersOptional 
provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]
inputOptional 
input: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]

(Optional) A value which will be stored in the instance state, and reflected in the output attribute after apply.

https://developer.hashicorp.com/terraform/language/resources/terraform-data#input

triggers_replaceOptional 
triggers_replace: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]

(Optional) A value which is stored in the instance state, and will force replacement when the value changes.

https://developer.hashicorp.com/terraform/language/resources/terraform-data#triggers_replace

DataTerraformRemoteStateAzurermConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateAzurermConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  container_name: str,
  key: str,
  storage_account_name: str,
  access_key: str = None,
  client_certificate_password: str = None,
  client_certificate_path: str = None,
  client_id: str = None,
  client_secret: str = None,
  endpoint: str = None,
  environment: str = None,
  metadata_host: str = None,
  msi_endpoint: str = None,
  oidc_request_token: str = None,
  oidc_request_url: str = None,
  oidc_token: str = None,
  oidc_token_file_path: str = None,
  resource_group_name: str = None,
  sas_token: str = None,
  snapshot: bool = None,
  subscription_id: str = None,
  tenant_id: str = None,
  use_azuread_auth: bool = None,
  use_microsoft_graph: bool = None,
  use_msi: bool = None,
  use_oidc: bool = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
container_namestr(Required) The Name of the Storage Container within the Storage Account.
keystr(Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.
storage_account_namestr(Required) The Name of the Storage Account.
access_keystraccess_key - (Optional) The Access Key used to access the Blob Storage Account.
client_certificate_passwordstr(Optional) The password associated with the Client Certificate specified in client_certificate_path.
client_certificate_pathstr(Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal.
client_idstr(Optional) The Client ID of the Service Principal.
client_secretstr(Optional) The Client Secret of the Service Principal.
endpointstr(Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the ARM_ENDPOINT environment variable.
environmentstr(Optional) The Azure Environment which should be used.
metadata_hoststr(Optional) The Hostname of the Azure Metadata Service (for example management.azure.com), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the ARM_METADATA_HOSTNAME Environment Variable.).
msi_endpointstr(Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified.
oidc_request_tokenstr(Optional) The bearer token for the request to the OIDC provider.
oidc_request_urlstr(Optional) The URL for the OIDC provider from which to request an ID token.
oidc_tokenstr(Optional) The ID token when authenticating using OpenID Connect (OIDC).
oidc_token_file_pathstr(Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC).
resource_group_namestr(Required) The Name of the Resource Group in which the Storage Account exists.
sas_tokenstr(Optional) The SAS Token used to access the Blob Storage Account.
snapshotbool(Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use?
subscription_idstr(Optional) The Subscription ID in which the Storage Account exists.
tenant_idstr(Optional) The Tenant ID in which the Subscription exists.
use_azuread_authbool(Optional) Should AzureAD Authentication be used to access the Blob Storage Account.
use_microsoft_graphbool(Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph?
use_msibool(Optional) Should Managed Service Identity authentication be used?
use_oidcbool(Optional) Should OIDC authentication be used? This can also be sourced from the ARM_USE_OIDC environment variable.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
container_nameRequired 
container_name: str
  • Type: str

(Required) The Name of the Storage Container within the Storage Account.

keyRequired 
key: str
  • Type: str

(Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.

storage_account_nameRequired 
storage_account_name: str
  • Type: str

(Required) The Name of the Storage Account.

access_keyOptional 
access_key: str
  • Type: str

access_key - (Optional) The Access Key used to access the Blob Storage Account.

This can also be sourced from the ARM_ACCESS_KEY environment variable.

client_certificate_passwordOptional 
client_certificate_password: str
  • Type: str

(Optional) The password associated with the Client Certificate specified in client_certificate_path.

This can also be sourced from the ARM_CLIENT_CERTIFICATE_PASSWORD environment variable.

client_certificate_pathOptional 
client_certificate_path: str
  • Type: str

(Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal.

This can also be sourced from the ARM_CLIENT_CERTIFICATE_PATH environment variable.

client_idOptional 
client_id: str
  • Type: str

(Optional) The Client ID of the Service Principal.

This can also be sourced from the ARM_CLIENT_ID environment variable.

client_secretOptional 
client_secret: str
  • Type: str

(Optional) The Client Secret of the Service Principal.

This can also be sourced from the ARM_CLIENT_SECRET environment variable.

endpointOptional 
endpoint: str
  • Type: str

(Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the ARM_ENDPOINT environment variable.

NOTE: An endpoint should only be configured when using Azure Stack.

environmentOptional 
environment: str
  • Type: str

(Optional) The Azure Environment which should be used.

This can also be sourced from the ARM_ENVIRONMENT environment variable. Possible values are public, china, german, stack and usgovernment. Defaults to public.

metadata_hostOptional 
metadata_host: str
  • Type: str

(Optional) The Hostname of the Azure Metadata Service (for example management.azure.com), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the ARM_METADATA_HOSTNAME Environment Variable.).

msi_endpointOptional 
msi_endpoint: str
  • Type: str

(Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified.

This can also be sourced from the ARM_MSI_ENDPOINT environment variable.

oidc_request_tokenOptional 
oidc_request_token: str
  • Type: str

(Optional) The bearer token for the request to the OIDC provider.

This can also be sourced from the ARM_OIDC_REQUEST_TOKEN or ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables.

oidc_request_urlOptional 
oidc_request_url: str
  • Type: str

(Optional) The URL for the OIDC provider from which to request an ID token.

This can also be sourced from the ARM_OIDC_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_URL environment variables.

oidc_tokenOptional 
oidc_token: str
  • Type: str

(Optional) The ID token when authenticating using OpenID Connect (OIDC).

This can also be sourced from the ARM_OIDC_TOKEN environment variable.

oidc_token_file_pathOptional 
oidc_token_file_path: str
  • Type: str

(Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC).

This can also be sourced from the ARM_OIDC_TOKEN_FILE_PATH environment variable.

resource_group_nameOptional 
resource_group_name: str
  • Type: str

(Required) The Name of the Resource Group in which the Storage Account exists.

sas_tokenOptional 
sas_token: str
  • Type: str

(Optional) The SAS Token used to access the Blob Storage Account.

This can also be sourced from the ARM_SAS_TOKEN environment variable.

snapshotOptional 
snapshot: bool
  • Type: bool

(Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use?

Defaults to false. This value can also be sourced from the ARM_SNAPSHOT environment variable.

subscription_idOptional 
subscription_id: str
  • Type: str

(Optional) The Subscription ID in which the Storage Account exists.

This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable.

tenant_idOptional 
tenant_id: str
  • Type: str

(Optional) The Tenant ID in which the Subscription exists.

This can also be sourced from the ARM_TENANT_ID environment variable.

use_azuread_authOptional 
use_azuread_auth: bool
  • Type: bool

(Optional) Should AzureAD Authentication be used to access the Blob Storage Account.

This can also be sourced from the ARM_USE_AZUREAD environment variable.

Note: When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner role is assigned.

use_microsoft_graphOptional 
use_microsoft_graph: bool
  • Type: bool

(Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph?

Defaults to true.

Note: In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting use_microsoft_graph to false. This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL.

use_msiOptional 
use_msi: bool
  • Type: bool

(Optional) Should Managed Service Identity authentication be used?

This can also be sourced from the ARM_USE_MSI environment variable.

use_oidcOptional 
use_oidc: bool
  • Type: bool

(Optional) Should OIDC authentication be used? This can also be sourced from the ARM_USE_OIDC environment variable.

Note: When using OIDC for authentication, use_microsoft_graph must be set to true (which is the default).

DataTerraformRemoteStateConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str

DataTerraformRemoteStateConsulConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateConsulConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  access_token: str,
  path: str,
  address: str = None,
  ca_file: str = None,
  cert_file: str = None,
  datacenter: str = None,
  gzip: bool = None,
  http_auth: str = None,
  key_file: str = None,
  lock: bool = None,
  scheme: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
access_tokenstr(Required) Access token.
pathstr(Required) Path in the Consul KV store.
addressstr(Optional) DNS name and port of your Consul endpoint specified in the format dnsname:port.
ca_filestr(Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.
cert_filestr(Optional) A path to a PEM-encoded certificate provided to the remote agent;
datacenterstr(Optional) The datacenter to use.
gzipbool(Optional) true to compress the state data using gzip, or false (the default) to leave it uncompressed.
http_authstr(Optional) HTTP Basic Authentication credentials to be used when communicating with Consul, in the format of either user or user:pass.
key_filestr(Optional) A path to a PEM-encoded private key, required if cert_file is specified.
lockbool(Optional) false to disable locking.
schemestr(Optional) Specifies what protocol to use when talking to the given address,either http or https.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
access_tokenRequired 
access_token: str
  • Type: str

(Required) Access token.

pathRequired 
path: str
  • Type: str

(Required) Path in the Consul KV store.

addressOptional 
address: str
  • Type: str

(Optional) DNS name and port of your Consul endpoint specified in the format dnsname:port.

Defaults to the local agent HTTP listener.

ca_fileOptional 
ca_file: str
  • Type: str

(Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.

cert_fileOptional 
cert_file: str
  • Type: str

(Optional) A path to a PEM-encoded certificate provided to the remote agent;

requires use of key_file.

datacenterOptional 
datacenter: str
  • Type: str

(Optional) The datacenter to use.

Defaults to that of the agent.

gzipOptional 
gzip: bool
  • Type: bool

(Optional) true to compress the state data using gzip, or false (the default) to leave it uncompressed.

http_authOptional 
http_auth: str
  • Type: str

(Optional) HTTP Basic Authentication credentials to be used when communicating with Consul, in the format of either user or user:pass.

key_fileOptional 
key_file: str
  • Type: str

(Optional) A path to a PEM-encoded private key, required if cert_file is specified.

lockOptional 
lock: bool
  • Type: bool

(Optional) false to disable locking.

This defaults to true, but will require session permissions with Consul and at least kv write permissions on $path/.lock to perform locking.

schemeOptional 
scheme: str
  • Type: str

(Optional) Specifies what protocol to use when talking to the given address,either http or https.

SSL support can also be triggered by setting then environment variable CONSUL_HTTP_SSL to true.

DataTerraformRemoteStateCosConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateCosConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  bucket: str,
  accelerate: bool = None,
  acl: str = None,
  assume_role: CosBackendAssumeRole = None,
  domain: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  key: str = None,
  prefix: str = None,
  region: str = None,
  secret_id: str = None,
  secret_key: str = None,
  security_token: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
bucketstr(Required) The name of the COS bucket.
acceleratebool(Optional) Whether to enable global Acceleration.
aclstr(Optional) Object ACL to be applied to the state file, allows private and public-read.
assume_roleCosBackendAssumeRole(Optional) The assume_role block.
domainstr(Optional) The root domain of the API request.
encryptbool(Optional) Whether to enable server side encryption of the state file.
endpointstr(Optional) The Custom Endpoint for the COS backend.
keystr(Optional) The path for saving the state file in bucket.
prefixstr(Optional) The directory for saving the state file in bucket.
regionstr(Optional) The region of the COS bucket.
secret_idstr(Optional) Secret id of Tencent Cloud.
secret_keystr(Optional) Secret key of Tencent Cloud.
security_tokenstr(Optional) TencentCloud Security Token of temporary access credentials.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the COS bucket.

You shall manually create it first.

accelerateOptional 
accelerate: bool
  • Type: bool

(Optional) Whether to enable global Acceleration.

Defaults to false.

aclOptional 
acl: str
  • Type: str

(Optional) Object ACL to be applied to the state file, allows private and public-read.

Defaults to private.

assume_roleOptional 
assume_role: CosBackendAssumeRole

(Optional) The assume_role block.

If provided, terraform will attempt to assume this role using the supplied credentials.

domainOptional 
domain: str
  • Type: str

(Optional) The root domain of the API request.

Defaults to tencentcloudapi.com. It supports the environment variable TENCENTCLOUD_DOMAIN.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Whether to enable server side encryption of the state file.

If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.

endpointOptional 
endpoint: str
  • Type: str

(Optional) The Custom Endpoint for the COS backend.

It supports the environment variable TENCENTCLOUD_ENDPOINT.

keyOptional 
key: str
  • Type: str

(Optional) The path for saving the state file in bucket.

Defaults to terraform.tfstate.

prefixOptional 
prefix: str
  • Type: str

(Optional) The directory for saving the state file in bucket.

Default to "env:".

regionOptional 
region: str
  • Type: str

(Optional) The region of the COS bucket.

It supports environment variables TENCENTCLOUD_REGION.

secret_idOptional 
secret_id: str
  • Type: str

(Optional) Secret id of Tencent Cloud.

It supports environment variables TENCENTCLOUD_SECRET_ID.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) Secret key of Tencent Cloud.

It supports environment variables TENCENTCLOUD_SECRET_KEY.

security_tokenOptional 
security_token: str
  • Type: str

(Optional) TencentCloud Security Token of temporary access credentials.

It supports environment variables TENCENTCLOUD_SECURITY_TOKEN.

DataTerraformRemoteStateGcsConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateGcsConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  bucket: str,
  access_token: str = None,
  credentials: str = None,
  encryption_key: str = None,
  impersonate_service_account: str = None,
  impersonate_service_account_delegates: typing.List[str] = None,
  kms_encryption_key: str = None,
  prefix: str = None,
  storeage_custom_endpoint: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
bucketstr(Required) The name of the GCS bucket.
access_tokenstr(Optional) A temporary [OAuth 2.0 access token] obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials. If both are specified, access_token will be used over the credentials field.
credentialsstr(Optional) Local path to Google Cloud Platform account credentials in JSON format.
encryption_keystr(Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state.
impersonate_service_accountstr(Optional) The service account to impersonate for accessing the State Bucket.
impersonate_service_account_delegatestyping.List[str](Optional) The delegation chain for an impersonating a service account.
kms_encryption_keystr(Optional) A Cloud KMS key ('customer-managed encryption key') used when reading and writing state files in the bucket.
prefixstr(Optional) GCS prefix inside the bucket.
storeage_custom_endpointstr(Optional) A URL containing three parts: the protocol, the DNS name pointing to a Private Service Connect endpoint, and the path for the Cloud Storage API (/storage/v1/b).
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the GCS bucket.

This name must be globally unique.

access_tokenOptional 
access_token: str
  • Type: str

(Optional) A temporary [OAuth 2.0 access token] obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials. If both are specified, access_token will be used over the credentials field.

credentialsOptional 
credentials: str
  • Type: str

(Optional) Local path to Google Cloud Platform account credentials in JSON format.

If unset, Google Application Default Credentials are used. The provided credentials must have Storage Object Admin role on the bucket.

Warning: if using the Google Cloud Platform provider as well, it will also pick up the GOOGLE_CREDENTIALS environment variable.

encryption_keyOptional 
encryption_key: str
  • Type: str

(Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state.

impersonate_service_accountOptional 
impersonate_service_account: str
  • Type: str

(Optional) The service account to impersonate for accessing the State Bucket.

You must have roles/iam.serviceAccountTokenCreator role on that account for the impersonation to succeed. If you are using a delegation chain, you can specify that using the impersonate_service_account_delegates field. Alternatively, this can be specified using the GOOGLE_IMPERSONATE_SERVICE_ACCOUNT environment variable.

impersonate_service_account_delegatesOptional 
impersonate_service_account_delegates: typing.List[str]
  • Type: typing.List[str]

(Optional) The delegation chain for an impersonating a service account.

kms_encryption_keyOptional 
kms_encryption_key: str
  • Type: str

(Optional) A Cloud KMS key ('customer-managed encryption key') used when reading and writing state files in the bucket.

Format should be projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{name}}. For more information, including IAM requirements, see {@link https://cloud.google.com/storage/docs/encryption/customer-managed-keys Customer-managed Encryption Keys}.

prefixOptional 
prefix: str
  • Type: str

(Optional) GCS prefix inside the bucket.

Named states for workspaces are stored in an object called < prefix >/< name >.tfstate.

storeage_custom_endpointOptional 
storeage_custom_endpoint: str
  • Type: str

(Optional) A URL containing three parts: the protocol, the DNS name pointing to a Private Service Connect endpoint, and the path for the Cloud Storage API (/storage/v1/b).

{@link https://developer.hashicorp.com/terraform/language/settings/backends/gcs#storage_custom_endpoint See here for more details}

DataTerraformRemoteStateHttpConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateHttpConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  address: str,
  client_ca_certificate_pem: str = None,
  client_certificate_pem: str = None,
  client_private_key_pem: str = None,
  lock_address: str = None,
  lock_method: str = None,
  password: str = None,
  retry_max: typing.Union[int, float] = None,
  retry_wait_max: typing.Union[int, float] = None,
  retry_wait_min: typing.Union[int, float] = None,
  skip_cert_verification: bool = None,
  unlock_address: str = None,
  unlock_method: str = None,
  update_method: str = None,
  username: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
addressstr(Required) The address of the REST endpoint.
client_ca_certificate_pemstr(Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.
client_certificate_pemstr(Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.
client_private_key_pemstr(Optional) A PEM-encoded private key, required if client_certificate_pem is specified.
lock_addressstr(Optional) The address of the lock REST endpoint.
lock_methodstr(Optional) The HTTP method to use when locking.
passwordstr(Optional) The password for HTTP basic authentication.
retry_maxtyping.Union[int, float](Optional) The number of HTTP request retries.
retry_wait_maxtyping.Union[int, float](Optional) The maximum time in seconds to wait between HTTP request attempts.
retry_wait_mintyping.Union[int, float](Optional) The minimum time in seconds to wait between HTTP request attempts.
skip_cert_verificationbool(Optional) Whether to skip TLS verification.
unlock_addressstr(Optional) The address of the unlock REST endpoint.
unlock_methodstr(Optional) The HTTP method to use when unlocking.
update_methodstr(Optional) HTTP method to use when updating state.
usernamestr(Optional) The username for HTTP basic authentication.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
addressRequired 
address: str
  • Type: str

(Required) The address of the REST endpoint.

client_ca_certificate_pemOptional 
client_ca_certificate_pem: str
  • Type: str

(Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.

client_certificate_pemOptional 
client_certificate_pem: str
  • Type: str

(Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.

client_private_key_pemOptional 
client_private_key_pem: str
  • Type: str

(Optional) A PEM-encoded private key, required if client_certificate_pem is specified.

lock_addressOptional 
lock_address: str
  • Type: str

(Optional) The address of the lock REST endpoint.

Defaults to disabled.

lock_methodOptional 
lock_method: str
  • Type: str

(Optional) The HTTP method to use when locking.

Defaults to LOCK.

passwordOptional 
password: str
  • Type: str

(Optional) The password for HTTP basic authentication.

retry_maxOptional 
retry_max: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The number of HTTP request retries.

Defaults to 2.

retry_wait_maxOptional 
retry_wait_max: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The maximum time in seconds to wait between HTTP request attempts.

Defaults to 30.

retry_wait_minOptional 
retry_wait_min: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The minimum time in seconds to wait between HTTP request attempts.

Defaults to 1.

skip_cert_verificationOptional 
skip_cert_verification: bool
  • Type: bool

(Optional) Whether to skip TLS verification.

Defaults to false.

unlock_addressOptional 
unlock_address: str
  • Type: str

(Optional) The address of the unlock REST endpoint.

Defaults to disabled.

unlock_methodOptional 
unlock_method: str
  • Type: str

(Optional) The HTTP method to use when unlocking.

Defaults to UNLOCK.

update_methodOptional 
update_method: str
  • Type: str

(Optional) HTTP method to use when updating state.

Defaults to POST.

usernameOptional 
username: str
  • Type: str

(Optional) The username for HTTP basic authentication.

DataTerraformRemoteStateLocalConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateLocalConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  path: str = None,
  workspace_dir: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
pathstrPath where the state file is stored.
workspace_dirstr(Optional) The path to non-default workspaces.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
pathOptional 
path: str
  • Type: str
  • Default: defaults to terraform.${stackId}.tfstate

Path where the state file is stored.

workspace_dirOptional 
workspace_dir: str
  • Type: str

(Optional) The path to non-default workspaces.

DataTerraformRemoteStateOssConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateOssConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  bucket: str,
  access_key: str = None,
  acl: str = None,
  assume_role: OssAssumeRole = None,
  assume_role_policy: str = None,
  assume_role_role_arn: str = None,
  assume_role_session_expiration: typing.Union[int, float] = None,
  assume_role_session_name: str = None,
  ecs_role_name: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  key: str = None,
  prefix: str = None,
  profile: str = None,
  region: str = None,
  secret_key: str = None,
  security_token: str = None,
  shared_credentials_file: str = None,
  sts_endpoint: str = None,
  tablestore_endpoint: str = None,
  tablestore_table: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
bucketstr(Required) The name of the OSS bucket.
access_keystr(Optional) Alibaba Cloud access key.
aclstr(Optional) Object ACL to be applied to the state file.
assume_roleOssAssumeRoleNo description.
assume_role_policystr(Optional, Available in 1.1.0+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.
assume_role_role_arnstr(Optional, Available in 1.1.0+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variable ALICLOUD_ASSUME_ROLE_ARN. Terraform executes configuration on account with provided credentials.
assume_role_session_expirationtyping.Union[int, float](Optional, Available in 1.1.0+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION.
assume_role_session_namestr(Optional, Available in 1.1.0+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_NAME.
ecs_role_namestr(Optional, Available in 0.12.14+) The RAM Role Name attached on a ECS instance for API operations. You can retrieve this from the 'Access Control' section of the Alibaba Cloud console.
encryptbool(Optional) Whether to enable server side encryption of the state file.
endpointstr(Optional) A custom endpoint for the OSS API.
keystr(Optional) The name of the state file.
prefixstr(Optional) The path directory of the state file will be stored.
profilestr(Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the ALICLOUD_PROFILE environment variable.
regionstr(Optional) The region of the OSS bucket.
secret_keystr(Optional) Alibaba Cloud secret access key.
security_tokenstr(Optional) STS access token.
shared_credentials_filestr(Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the ALICLOUD_SHARED_CREDENTIALS_FILE environment variable. If this is not set and a profile is specified, ~/.aliyun/config.json will be used.
sts_endpointstr(Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variable ALICLOUD_STS_ENDPOINT.
tablestore_endpointstr(Optional) A custom endpoint for the TableStore API.
tablestore_tablestr(Optional) A TableStore table for state locking and consistency.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the OSS bucket.

access_keyOptional 
access_key: str
  • Type: str

(Optional) Alibaba Cloud access key.

It supports environment variables ALICLOUD_ACCESS_KEY and ALICLOUD_ACCESS_KEY_ID.

aclOptional 
acl: str
  • Type: str

(Optional) Object ACL to be applied to the state file.

assume_roleOptional
  • Deprecated: Use flattened assume role options
assume_role: OssAssumeRole
assume_role_policyOptional 
assume_role_policy: str
  • Type: str

(Optional, Available in 1.1.0+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.

assume_role_role_arnOptional 
assume_role_role_arn: str
  • Type: str

(Optional, Available in 1.1.0+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variable ALICLOUD_ASSUME_ROLE_ARN. Terraform executes configuration on account with provided credentials.

assume_role_session_expirationOptional 
assume_role_session_expiration: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional, Available in 1.1.0+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION.

assume_role_session_nameOptional 
assume_role_session_name: str
  • Type: str

(Optional, Available in 1.1.0+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_NAME.

ecs_role_nameOptional 
ecs_role_name: str
  • Type: str

(Optional, Available in 0.12.14+) The RAM Role Name attached on a ECS instance for API operations. You can retrieve this from the 'Access Control' section of the Alibaba Cloud console.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Whether to enable server side encryption of the state file.

If it is true, OSS will use 'AES256' encryption algorithm to encrypt state file.

endpointOptional 
endpoint: str
  • Type: str

(Optional) A custom endpoint for the OSS API.

It supports environment variables ALICLOUD_OSS_ENDPOINT and OSS_ENDPOINT.

keyOptional 
key: str
  • Type: str

(Optional) The name of the state file.

Defaults to terraform.tfstate.

prefixOptional 
prefix: str
  • Type: str

(Optional) The path directory of the state file will be stored.

Default to "env:".

profileOptional 
profile: str
  • Type: str

(Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the ALICLOUD_PROFILE environment variable.

regionOptional 
region: str
  • Type: str

(Optional) The region of the OSS bucket.

It supports environment variables ALICLOUD_REGION and ALICLOUD_DEFAULT_REGION.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) Alibaba Cloud secret access key.

It supports environment variables ALICLOUD_SECRET_KEY and ALICLOUD_ACCESS_KEY_SECRET.

security_tokenOptional 
security_token: str
  • Type: str

(Optional) STS access token.

It supports environment variable ALICLOUD_SECURITY_TOKEN.

shared_credentials_fileOptional 
shared_credentials_file: str
  • Type: str

(Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the ALICLOUD_SHARED_CREDENTIALS_FILE environment variable. If this is not set and a profile is specified, ~/.aliyun/config.json will be used.

sts_endpointOptional 
sts_endpoint: str
  • Type: str

(Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variable ALICLOUD_STS_ENDPOINT.

tablestore_endpointOptional 
tablestore_endpoint: str
  • Type: str

(Optional) A custom endpoint for the TableStore API.

tablestore_tableOptional 
tablestore_table: str
  • Type: str

(Optional) A TableStore table for state locking and consistency.

The table must have a primary key named LockID of type String.

DataTerraformRemoteStatePgConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStatePgConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  conn_str: str,
  schema_name: str = None,
  skip_index_creation: bool = None,
  skip_schema_creation: bool = None,
  skip_table_creation: bool = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
conn_strstrPostgres connection string;
schema_namestrName of the automatically-managed Postgres schema, default to terraform_remote_state.
skip_index_creationboolIf set to true, the Postgres index must already exist.
skip_schema_creationboolIf set to true, the Postgres schema must already exist.
skip_table_creationboolIf set to true, the Postgres table must already exist.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
conn_strRequired 
conn_str: str
  • Type: str

Postgres connection string;

a postgres:// URL. The PG_CONN_STR and standard libpq environment variables can also be used to indicate how to connect to the PostgreSQL database.

schema_nameOptional 
schema_name: str
  • Type: str

Name of the automatically-managed Postgres schema, default to terraform_remote_state.

Can also be set using the PG_SCHEMA_NAME environment variable.

skip_index_creationOptional 
skip_index_creation: bool
  • Type: bool

If set to true, the Postgres index must already exist.

Can also be set using the PG_SKIP_INDEX_CREATION environment variable. Terraform won't try to create the index, this is useful when it has already been created by a database administrator.

skip_schema_creationOptional 
skip_schema_creation: bool
  • Type: bool

If set to true, the Postgres schema must already exist.

Can also be set using the PG_SKIP_SCHEMA_CREATION environment variable. Terraform won't try to create the schema, this is useful when it has already been created by a database administrator.

skip_table_creationOptional 
skip_table_creation: bool
  • Type: bool

If set to true, the Postgres table must already exist.

Can also be set using the PG_SKIP_TABLE_CREATION environment variable. Terraform won't try to create the table, this is useful when it has already been created by a database administrator.

DataTerraformRemoteStateRemoteConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateRemoteConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  organization: str,
  workspaces: IRemoteWorkspace,
  hostname: str = None,
  token: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
organizationstrNo description.
workspacesIRemoteWorkspaceNo description.
hostnamestrNo description.
tokenstrNo description.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
organizationRequired 
organization: str
  • Type: str
workspacesRequired 
workspaces: IRemoteWorkspace
hostnameOptional 
hostname: str
  • Type: str
tokenOptional 
token: str
  • Type: str

DataTerraformRemoteStateS3Config

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateS3Config(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  bucket: str,
  key: str,
  access_key: str = None,
  acl: str = None,
  allowed_account_ids: typing.List[str] = None,
  assume_role: S3BackendAssumeRoleConfig = None,
  assume_role_policy: str = None,
  assume_role_policy_arns: typing.List[str] = None,
  assume_role_tags: typing.Mapping[str] = None,
  assume_role_transitive_tag_keys: typing.List[str] = None,
  assume_role_with_web_identity: S3BackendAssumeRoleWithWebIdentityConfig = None,
  custom_ca_bundle: str = None,
  dynamodb_endpoint: str = None,
  dynamodb_table: str = None,
  ec2_metadata_service_endpoint: str = None,
  ec2_metadata_service_endpoint_mode: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  endpoints: S3BackendEndpointConfig = None,
  external_id: str = None,
  forbidden_account_ids: typing.List[str] = None,
  force_path_style: bool = None,
  http_proxy: str = None,
  https_proxy: str = None,
  iam_endpoint: str = None,
  insecure: bool = None,
  kms_key_id: str = None,
  max_retries: typing.Union[int, float] = None,
  no_proxy: str = None,
  profile: str = None,
  region: str = None,
  retry_mode: str = None,
  role_arn: str = None,
  secret_key: str = None,
  session_name: str = None,
  shared_config_files: typing.List[str] = None,
  shared_credentials_file: str = None,
  shared_credentials_files: typing.List[str] = None,
  skip_credentials_validation: bool = None,
  skip_metadata_api_check: bool = None,
  skip_region_validation: bool = None,
  skip_requesting_account_id: bool = None,
  skip_s3_checksum: bool = None,
  sse_customer_key: str = None,
  sts_endpoint: str = None,
  sts_region: str = None,
  token: str = None,
  use_legacy_workflow: bool = None,
  use_path_style: bool = None,
  workspace_key_prefix: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
bucketstrName of the S3 Bucket.
keystrPath to the state file inside the S3 Bucket.
access_keystr(Optional) AWS access key.
aclstr(Optional) Canned ACL to be applied to the state file.
allowed_account_idstyping.List[str](Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.
assume_roleS3BackendAssumeRoleConfigAssuming an IAM Role can be configured in two ways.
assume_role_policystr(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
assume_role_policy_arnstyping.List[str](Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
assume_role_tagstyping.Mapping[str](Optional) Map of assume role session tags.
assume_role_transitive_tag_keystyping.List[str](Optional) Set of assume role session tag keys to pass to any subsequent sessions.
assume_role_with_web_identityS3BackendAssumeRoleWithWebIdentityConfigAssume Role With Web Identity Configuration.
custom_ca_bundlestr(Optional) File containing custom root and intermediate certificates.
dynamodb_endpointstr(Optional) Custom endpoint for the AWS DynamoDB API.
dynamodb_tablestr(Optional) Name of DynamoDB Table to use for state locking and consistency.
ec2_metadata_service_endpointstrOptional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.
ec2_metadata_service_endpoint_modestr(Optional) Mode to use in communicating with the metadata service.
encryptbool(Optional) Enable server side encryption of the state file.
endpointstr(Optional) Custom endpoint for the AWS S3 API.
endpointsS3BackendEndpointConfig(Optional) The endpoint configuration block.
external_idstr(Optional) External identifier to use when assuming the role.
forbidden_account_idstyping.List[str](Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.
force_path_stylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
http_proxystr(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.
https_proxystr(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.
iam_endpointstr(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.
insecureboolOptional) Whether to explicitly allow the backend to perform "insecure" SSL requests.
kms_key_idstr(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.
max_retriestyping.Union[int, float](Optional) The maximum number of times an AWS API request is retried on retryable failure.
no_proxystr(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.
profilestr(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.
regionstrAWS Region of the S3 Bucket and DynamoDB Table (if used).
retry_modestr(Optional) Specifies how retries are attempted.
role_arnstr(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
secret_keystr(Optional) AWS secret access key.
session_namestr(Optional) Session name to use when assuming the role.
shared_config_filestyping.List[str](Optional) List of paths to AWS shared configuration files.
shared_credentials_filestr(Optional) Path to the AWS shared credentials file.
shared_credentials_filestyping.List[str](Optional) List of paths to AWS shared credentials files.
skip_credentials_validationbool(Optional) Skip credentials validation via the STS API.
skip_metadata_api_checkbool(Optional) Skip usage of EC2 Metadata API.
skip_region_validationbool(Optional) Skip validation of provided region name.
skip_requesting_account_idbool(Optional) Whether to skip requesting the account ID.
skip_s3_checksumbool(Optional) Do not include checksum when uploading S3 Objects.
sse_customer_keystr(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).
sts_endpointstr(Optional) Custom endpoint for the AWS Security Token Service (STS) API.
sts_regionstr(Optional) AWS region for STS.
tokenstr(Optional) Multi-Factor Authentication (MFA) token.
use_legacy_workflowbool(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.
use_path_stylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
workspace_key_prefixstr(Optional) Prefix applied to the state path inside the bucket.
defaultsOptional 
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional 
workspace: str
  • Type: str
bucketRequired 
bucket: str
  • Type: str

Name of the S3 Bucket.

keyRequired 
key: str
  • Type: str

Path to the state file inside the S3 Bucket.

When using a non-default workspace, the state path will be /workspace_key_prefix/workspace_name/key

access_keyOptional 
access_key: str
  • Type: str

(Optional) AWS access key.

If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).

aclOptional 
acl: str
  • Type: str

(Optional) Canned ACL to be applied to the state file.

allowed_account_idsOptional 
allowed_account_ids: typing.List[str]
  • Type: typing.List[str]

(Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.

Conflicts with forbidden_account_ids.

assume_roleOptional 
assume_role: S3BackendAssumeRoleConfig

Assuming an IAM Role can be configured in two ways.

The preferred way is to use the argument assume_role, the other, which is deprecated, is with arguments at the top level.

assume_role_policyOptional
  • Deprecated: Use assumeRole.policy instead.
assume_role_policy: str
  • Type: str

(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

assume_role_policy_arnsOptional
  • Deprecated: Use assumeRole.policyArns instead.
assume_role_policy_arns: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

assume_role_tagsOptional
  • Deprecated: Use assumeRole.tags instead.
assume_role_tags: typing.Mapping[str]
  • Type: typing.Mapping[str]

(Optional) Map of assume role session tags.

assume_role_transitive_tag_keysOptional
  • Deprecated: Use assumeRole.transitiveTagKeys instead.
assume_role_transitive_tag_keys: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of assume role session tag keys to pass to any subsequent sessions.

assume_role_with_web_identityOptional 
assume_role_with_web_identity: S3BackendAssumeRoleWithWebIdentityConfig

Assume Role With Web Identity Configuration.

custom_ca_bundleOptional 
custom_ca_bundle: str
  • Type: str

(Optional) File containing custom root and intermediate certificates.

Can also be set using the AWS_CA_BUNDLE environment variable. Setting ca_bundle in the shared config file is not supported.

dynamodb_endpointOptional
  • Deprecated: Use endpoints.dynamodb instead
dynamodb_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS DynamoDB API.

This can also be sourced from the AWS_DYNAMODB_ENDPOINT environment variable.

dynamodb_tableOptional 
dynamodb_table: str
  • Type: str

(Optional) Name of DynamoDB Table to use for state locking and consistency.

The table must have a partition key named LockID with type of String. If not configured, state locking will be disabled.

ec2_metadata_service_endpointOptional 
ec2_metadata_service_endpoint: str
  • Type: str

Optional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.

Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

ec2_metadata_service_endpoint_modeOptional 
ec2_metadata_service_endpoint_mode: str
  • Type: str

(Optional) Mode to use in communicating with the metadata service.

Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Enable server side encryption of the state file.

endpointOptional
  • Deprecated: Use endpoints.s3 instead
endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS S3 API.

This can also be sourced from the AWS_S3_ENDPOINT environment variable.

endpointsOptional 
endpoints: S3BackendEndpointConfig

(Optional) The endpoint configuration block.

external_idOptional
  • Deprecated: Use assume_role.external_id instead.
external_id: str
  • Type: str

(Optional) External identifier to use when assuming the role.

forbidden_account_idsOptional 
forbidden_account_ids: typing.List[str]
  • Type: typing.List[str]

(Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.

Conflicts with allowed_account_ids.

force_path_styleOptional
  • Deprecated: Use usePathStyle instead
force_path_style: bool
  • Type: bool

(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

http_proxyOptional 
http_proxy: str
  • Type: str

(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.

Can also be set using the HTTP_PROXY or http_proxy environment variables.

https_proxyOptional 
https_proxy: str
  • Type: str

(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.

Can also be set using the HTTPS_PROXY or https_proxy environment variables.

iam_endpointOptional
  • Deprecated: Use endpoints.iam instead
iam_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.

This can also be sourced from the AWS_IAM_ENDPOINT environment variable.

insecureOptional 
insecure: bool
  • Type: bool

Optional) Whether to explicitly allow the backend to perform "insecure" SSL requests.

If omitted, the default value is false.

kms_key_idOptional 
kms_key_id: str
  • Type: str

(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.

Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.

max_retriesOptional 
max_retries: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The maximum number of times an AWS API request is retried on retryable failure.

Defaults to 5.

no_proxyOptional 
no_proxy: str
  • Type: str

(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.

Each value can be one of:

  • A domain name
  • An IP address
  • A CIDR address
  • An asterisk (*), to indicate that no proxying should be performed Domain name and IP address values can also include a port number. Can also be set using the NO_PROXY or no_proxy environment variables.
profileOptional 
profile: str
  • Type: str

(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.

regionOptional 
region: str
  • Type: str

AWS Region of the S3 Bucket and DynamoDB Table (if used).

This can also be sourced from the AWS_DEFAULT_REGION and AWS_REGION environment variables.

retry_modeOptional 
retry_mode: str
  • Type: str

(Optional) Specifies how retries are attempted.

Valid values are standard and adaptive. Can also be configured using the AWS_RETRY_MODE environment variable or the shared config file parameter retry_mode.

role_arnOptional
  • Deprecated: Use assumeRole.roleArn instead.
role_arn: str
  • Type: str

(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) AWS secret access key.

If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config)

session_nameOptional
  • Deprecated: Use assumeRole.sessionName instead.
session_name: str
  • Type: str

(Optional) Session name to use when assuming the role.

shared_config_filesOptional 
shared_config_files: typing.List[str]
  • Type: typing.List[str]

(Optional) List of paths to AWS shared configuration files.

Defaults to ~/.aws/config.

shared_credentials_fileOptional 
shared_credentials_file: str
  • Type: str

(Optional) Path to the AWS shared credentials file.

Defaults to ~/.aws/credentials.

shared_credentials_filesOptional 
shared_credentials_files: typing.List[str]
  • Type: typing.List[str]

(Optional) List of paths to AWS shared credentials files.

Defaults to ~/.aws/credentials.

skip_credentials_validationOptional 
skip_credentials_validation: bool
  • Type: bool

(Optional) Skip credentials validation via the STS API.

skip_metadata_api_checkOptional 
skip_metadata_api_check: bool
  • Type: bool

(Optional) Skip usage of EC2 Metadata API.

skip_region_validationOptional 
skip_region_validation: bool
  • Type: bool

(Optional) Skip validation of provided region name.

skip_requesting_account_idOptional 
skip_requesting_account_id: bool
  • Type: bool

(Optional) Whether to skip requesting the account ID.

Useful for AWS API implementations that do not have the IAM, STS API, or metadata API.

skip_s3_checksumOptional 
skip_s3_checksum: bool
  • Type: bool

(Optional) Do not include checksum when uploading S3 Objects.

Useful for some S3-Compatible APIs.

sse_customer_keyOptional 
sse_customer_key: str
  • Type: str

(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).

This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the AWS_SSE_CUSTOMER_KEY environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in terraform.tfstate.

sts_endpointOptional
  • Deprecated: Use endpoints.sts instead
sts_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS Security Token Service (STS) API.

This can also be sourced from the AWS_STS_ENDPOINT environment variable.

sts_regionOptional 
sts_region: str
  • Type: str

(Optional) AWS region for STS.

If unset, AWS will use the same region for STS as other non-STS operations.

tokenOptional 
token: str
  • Type: str

(Optional) Multi-Factor Authentication (MFA) token.

This can also be sourced from the AWS_SESSION_TOKEN environment variable.

use_legacy_workflowOptional 
use_legacy_workflow: bool
  • Type: bool

(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.

Defaults to true. This behavior does not align with the authentication flow of the AWS CLI or SDK's, and will be removed in the future.

use_path_styleOptional 
use_path_style: bool
  • Type: bool

(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

workspace_key_prefixOptional 
workspace_key_prefix: str
  • Type: str

(Optional) Prefix applied to the state path inside the bucket.

This is only relevant when using a non-default workspace. Defaults to env:

DataTerraformRemoteStateSwiftConfig

Initializer 

import cdktf

cdktf.DataTerraformRemoteStateSwiftConfig(
  defaults: typing.Mapping[typing.Any] = None,
  workspace: str = None,
  container: str,
  application_credential_id: str = None,
  application_credential_name: str = None,
  application_credential_secret: str = None,
  archive_container: str = None,
  auth_url: str = None,
  cacert_file: str = None,
  cert: str = None,
  cloud: str = None,
  default_domain: str = None,
  domain_id: str = None,
  domain_name: str = None,
  expire_after: str = None,
  insecure: bool = None,
  key: str = None,
  password: str = None,
  project_domain_id: str = None,
  project_domain_name: str = None,
  region_name: str = None,
  state_name: str = None,
  tenant_id: str = None,
  tenant_name: str = None,
  token: str = None,
  user_domain_id: str = None,
  user_domain_name: str = None,
  user_id: str = None,
  user_name: str = None
)

Properties

NameTypeDescription
defaultstyping.Mapping[typing.Any]No description.
workspacestrNo description.
containerstrNo description.
application_credential_idstrNo description.
application_credential_namestrNo description.
application_credential_secretstrNo description.
archive_containerstrNo description.
auth_urlstrNo description.
cacert_filestrNo description.
certstrNo description.
cloudstrNo description.
default_domainstrNo description.
domain_idstrNo description.
domain_namestrNo description.
expire_afterstrNo description.
insecureboolNo description.
keystrNo description.
passwordstrNo description.
project_domain_idstrNo description.
project_domain_namestrNo description.
region_namestrNo description.
state_namestrNo description.
tenant_idstrNo description.
tenant_namestrNo description.
tokenstrNo description.
user_domain_idstrNo description.
user_domain_namestrNo description.
user_idstrNo description.
user_namestrNo description.
defaultsOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
defaults: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
workspaceOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
workspace: str
  • Type: str
containerRequired
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
container: str
  • Type: str
application_credential_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_id: str
  • Type: str
application_credential_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_name: str
  • Type: str
application_credential_secretOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_secret: str
  • Type: str
archive_containerOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
archive_container: str
  • Type: str
auth_urlOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
auth_url: str
  • Type: str
cacert_fileOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cacert_file: str
  • Type: str
certOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cert: str
  • Type: str
cloudOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cloud: str
  • Type: str
default_domainOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
default_domain: str
  • Type: str
domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
domain_id: str
  • Type: str
domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
domain_name: str
  • Type: str
expire_afterOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
expire_after: str
  • Type: str
insecureOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
insecure: bool
  • Type: bool
keyOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
key: str
  • Type: str
passwordOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
password: str
  • Type: str
project_domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
project_domain_id: str
  • Type: str
project_domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
project_domain_name: str
  • Type: str
region_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
region_name: str
  • Type: str
state_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
state_name: str
  • Type: str
tenant_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
tenant_id: str
  • Type: str
tenant_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
tenant_name: str
  • Type: str
tokenOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
token: str
  • Type: str
user_domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_domain_id: str
  • Type: str
user_domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_domain_name: str
  • Type: str
user_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_id: str
  • Type: str
user_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_name: str
  • Type: str

EncodingOptions

Properties to string encodings.

Initializer 

import cdktf

cdktf.EncodingOptions(
  display_hint: str = None
)

Properties

NameTypeDescription
display_hintstrA hint for the Token's purpose when stringifying it.
display_hintOptional 
display_hint: str
  • Type: str
  • Default: no display hint

A hint for the Token's purpose when stringifying it.

FileProvisioner

The file provisioner copies files or directories from the machine running Terraform to the newly created resource.

The file provisioner supports both ssh and winrm type connections.

See {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/file file}

Initializer 

import cdktf

cdktf.FileProvisioner(
  destination: str,
  type: str,
  connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection] = None,
  content: str = None,
  source: str = None
)

Properties

NameTypeDescription
destinationstrThe source file or directory.
typestrNo description.
connectiontyping.Union[SSHProvisionerConnection, WinrmProvisionerConnection]Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.
contentstrThe destination path to write to on the remote system.
sourcestrThe direct content to copy on the destination.
destinationRequired 
destination: str
  • Type: str

The source file or directory.

Specify it either relative to the current working directory or as an absolute path. This argument cannot be combined with content.

typeRequired 
type: str
  • Type: str
connectionOptional 
connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection]

Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.

contentOptional 
content: str
  • Type: str

The destination path to write to on the remote system.

See Destination Paths below for more information.

sourceOptional 
source: str
  • Type: str

The direct content to copy on the destination.

If destination is a file, the content will be written on that file. In case of a directory, a file named tf-file-content is created inside that directory. We recommend using a file as the destination when using content. This argument cannot be combined with source.

GcsBackendConfig

Stores the state as an object in a configurable prefix in a pre-existing bucket on Google Cloud Storage (GCS).

The bucket must exist prior to configuring the backend.

This backend supports state locking.

Warning! It is highly recommended that you enable Object Versioning on the GCS bucket to allow for state recovery in the case of accidental deletions and human error.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/gcs

Initializer 

import cdktf

cdktf.GcsBackendConfig(
  bucket: str,
  access_token: str = None,
  credentials: str = None,
  encryption_key: str = None,
  impersonate_service_account: str = None,
  impersonate_service_account_delegates: typing.List[str] = None,
  kms_encryption_key: str = None,
  prefix: str = None,
  storeage_custom_endpoint: str = None
)

Properties

NameTypeDescription
bucketstr(Required) The name of the GCS bucket.
access_tokenstr(Optional) A temporary [OAuth 2.0 access token] obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials. If both are specified, access_token will be used over the credentials field.
credentialsstr(Optional) Local path to Google Cloud Platform account credentials in JSON format.
encryption_keystr(Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state.
impersonate_service_accountstr(Optional) The service account to impersonate for accessing the State Bucket.
impersonate_service_account_delegatestyping.List[str](Optional) The delegation chain for an impersonating a service account.
kms_encryption_keystr(Optional) A Cloud KMS key ('customer-managed encryption key') used when reading and writing state files in the bucket.
prefixstr(Optional) GCS prefix inside the bucket.
storeage_custom_endpointstr(Optional) A URL containing three parts: the protocol, the DNS name pointing to a Private Service Connect endpoint, and the path for the Cloud Storage API (/storage/v1/b).
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the GCS bucket.

This name must be globally unique.

access_tokenOptional 
access_token: str
  • Type: str

(Optional) A temporary [OAuth 2.0 access token] obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials. If both are specified, access_token will be used over the credentials field.

credentialsOptional 
credentials: str
  • Type: str

(Optional) Local path to Google Cloud Platform account credentials in JSON format.

If unset, Google Application Default Credentials are used. The provided credentials must have Storage Object Admin role on the bucket.

Warning: if using the Google Cloud Platform provider as well, it will also pick up the GOOGLE_CREDENTIALS environment variable.

encryption_keyOptional 
encryption_key: str
  • Type: str

(Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state.

impersonate_service_accountOptional 
impersonate_service_account: str
  • Type: str

(Optional) The service account to impersonate for accessing the State Bucket.

You must have roles/iam.serviceAccountTokenCreator role on that account for the impersonation to succeed. If you are using a delegation chain, you can specify that using the impersonate_service_account_delegates field. Alternatively, this can be specified using the GOOGLE_IMPERSONATE_SERVICE_ACCOUNT environment variable.

impersonate_service_account_delegatesOptional 
impersonate_service_account_delegates: typing.List[str]
  • Type: typing.List[str]

(Optional) The delegation chain for an impersonating a service account.

kms_encryption_keyOptional 
kms_encryption_key: str
  • Type: str

(Optional) A Cloud KMS key ('customer-managed encryption key') used when reading and writing state files in the bucket.

Format should be projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{name}}. For more information, including IAM requirements, see {@link https://cloud.google.com/storage/docs/encryption/customer-managed-keys Customer-managed Encryption Keys}.

prefixOptional 
prefix: str
  • Type: str

(Optional) GCS prefix inside the bucket.

Named states for workspaces are stored in an object called < prefix >/< name >.tfstate.

storeage_custom_endpointOptional 
storeage_custom_endpoint: str
  • Type: str

(Optional) A URL containing three parts: the protocol, the DNS name pointing to a Private Service Connect endpoint, and the path for the Cloud Storage API (/storage/v1/b).

{@link https://developer.hashicorp.com/terraform/language/settings/backends/gcs#storage_custom_endpoint See here for more details}

HttpBackendConfig

Stores the state using a simple REST client.

State will be fetched via GET, updated via POST, and purged with DELETE. The method used for updating is configurable.

This backend optionally supports state locking. When locking support is enabled it will use LOCK and UNLOCK requests providing the lock info in the body. The endpoint should return a 423: Locked or 409: Conflict with the holding lock info when it's already taken, 200: OK for success. Any other status will be considered an error. The ID of the holding lock info will be added as a query parameter to state updates requests.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/http

Initializer 

import cdktf

cdktf.HttpBackendConfig(
  address: str,
  client_ca_certificate_pem: str = None,
  client_certificate_pem: str = None,
  client_private_key_pem: str = None,
  lock_address: str = None,
  lock_method: str = None,
  password: str = None,
  retry_max: typing.Union[int, float] = None,
  retry_wait_max: typing.Union[int, float] = None,
  retry_wait_min: typing.Union[int, float] = None,
  skip_cert_verification: bool = None,
  unlock_address: str = None,
  unlock_method: str = None,
  update_method: str = None,
  username: str = None
)

Properties

NameTypeDescription
addressstr(Required) The address of the REST endpoint.
client_ca_certificate_pemstr(Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.
client_certificate_pemstr(Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.
client_private_key_pemstr(Optional) A PEM-encoded private key, required if client_certificate_pem is specified.
lock_addressstr(Optional) The address of the lock REST endpoint.
lock_methodstr(Optional) The HTTP method to use when locking.
passwordstr(Optional) The password for HTTP basic authentication.
retry_maxtyping.Union[int, float](Optional) The number of HTTP request retries.
retry_wait_maxtyping.Union[int, float](Optional) The maximum time in seconds to wait between HTTP request attempts.
retry_wait_mintyping.Union[int, float](Optional) The minimum time in seconds to wait between HTTP request attempts.
skip_cert_verificationbool(Optional) Whether to skip TLS verification.
unlock_addressstr(Optional) The address of the unlock REST endpoint.
unlock_methodstr(Optional) The HTTP method to use when unlocking.
update_methodstr(Optional) HTTP method to use when updating state.
usernamestr(Optional) The username for HTTP basic authentication.
addressRequired 
address: str
  • Type: str

(Required) The address of the REST endpoint.

client_ca_certificate_pemOptional 
client_ca_certificate_pem: str
  • Type: str

(Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.

client_certificate_pemOptional 
client_certificate_pem: str
  • Type: str

(Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.

client_private_key_pemOptional 
client_private_key_pem: str
  • Type: str

(Optional) A PEM-encoded private key, required if client_certificate_pem is specified.

lock_addressOptional 
lock_address: str
  • Type: str

(Optional) The address of the lock REST endpoint.

Defaults to disabled.

lock_methodOptional 
lock_method: str
  • Type: str

(Optional) The HTTP method to use when locking.

Defaults to LOCK.

passwordOptional 
password: str
  • Type: str

(Optional) The password for HTTP basic authentication.

retry_maxOptional 
retry_max: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The number of HTTP request retries.

Defaults to 2.

retry_wait_maxOptional 
retry_wait_max: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The maximum time in seconds to wait between HTTP request attempts.

Defaults to 30.

retry_wait_minOptional 
retry_wait_min: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The minimum time in seconds to wait between HTTP request attempts.

Defaults to 1.

skip_cert_verificationOptional 
skip_cert_verification: bool
  • Type: bool

(Optional) Whether to skip TLS verification.

Defaults to false.

unlock_addressOptional 
unlock_address: str
  • Type: str

(Optional) The address of the unlock REST endpoint.

Defaults to disabled.

unlock_methodOptional 
unlock_method: str
  • Type: str

(Optional) The HTTP method to use when unlocking.

Defaults to UNLOCK.

update_methodOptional 
update_method: str
  • Type: str

(Optional) HTTP method to use when updating state.

Defaults to POST.

usernameOptional 
username: str
  • Type: str

(Optional) The username for HTTP basic authentication.

LazyAnyValueOptions

Options for creating lazy untyped tokens.

Initializer 

import cdktf

cdktf.LazyAnyValueOptions(
  display_hint: str = None,
  omit_empty_array: bool = None
)

Properties

NameTypeDescription
display_hintstrUse the given name as a display hint.
omit_empty_arrayboolIf the produced value is an array and it is empty, return 'undefined' instead.
display_hintOptional 
display_hint: str
  • Type: str
  • Default: No hint

Use the given name as a display hint.

omit_empty_arrayOptional 
omit_empty_array: bool
  • Type: bool
  • Default: false

If the produced value is an array and it is empty, return 'undefined' instead.

LazyListValueOptions

Options for creating a lazy list token.

Initializer 

import cdktf

cdktf.LazyListValueOptions(
  display_hint: str = None,
  omit_empty: bool = None
)

Properties

NameTypeDescription
display_hintstrUse the given name as a display hint.
omit_emptyboolIf the produced list is empty, return 'undefined' instead.
display_hintOptional 
display_hint: str
  • Type: str
  • Default: No hint

Use the given name as a display hint.

omit_emptyOptional 
omit_empty: bool
  • Type: bool
  • Default: false

If the produced list is empty, return 'undefined' instead.

LazyStringValueOptions

Options for creating a lazy string token.

Initializer 

import cdktf

cdktf.LazyStringValueOptions(
  display_hint: str = None
)

Properties

NameTypeDescription
display_hintstrUse the given name as a display hint.
display_hintOptional 
display_hint: str
  • Type: str
  • Default: No hint

Use the given name as a display hint.

LocalBackendConfig

The local backend stores state on the local filesystem, locks that state using system APIs, and performs operations locally.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/local

Initializer 

import cdktf

cdktf.LocalBackendConfig(
  path: str = None,
  workspace_dir: str = None
)

Properties

NameTypeDescription
pathstrPath where the state file is stored.
workspace_dirstr(Optional) The path to non-default workspaces.
pathOptional 
path: str
  • Type: str
  • Default: defaults to terraform.${stackId}.tfstate

Path where the state file is stored.

workspace_dirOptional 
workspace_dir: str
  • Type: str

(Optional) The path to non-default workspaces.

LocalExecProvisioner

The local-exec provisioner invokes a local executable after a resource is created.

This invokes a process on the machine running Terraform, not on the resource.

See {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec local-exec}

Initializer 

import cdktf

cdktf.LocalExecProvisioner(
  command: str,
  type: str,
  environment: typing.Mapping[str] = None,
  interpreter: typing.List[str] = None,
  when: str = None,
  working_dir: str = None
)

Properties

NameTypeDescription
commandstrThis is the command to execute.
typestrNo description.
environmenttyping.Mapping[str]A record of key value pairs representing the environment of the executed command.
interpretertyping.List[str]If provided, this is a list of interpreter arguments used to execute the command.
whenstrIf provided, specifies when Terraform will execute the command.
working_dirstrIf provided, specifies the working directory where command will be executed.
commandRequired 
command: str
  • Type: str

This is the command to execute.

It can be provided as a relative path to the current working directory or as an absolute path. It is evaluated in a shell, and can use environment variables or Terraform variables.

typeRequired 
type: str
  • Type: str
environmentOptional 
environment: typing.Mapping[str]
  • Type: typing.Mapping[str]

A record of key value pairs representing the environment of the executed command.

It inherits the current process environment.

interpreterOptional 
interpreter: typing.List[str]
  • Type: typing.List[str]

If provided, this is a list of interpreter arguments used to execute the command.

The first argument is the interpreter itself. It can be provided as a relative path to the current working directory or as an absolute path The remaining arguments are appended prior to the command. This allows building command lines of the form "/bin/bash", "-c", "echo foo". If interpreter is unspecified, sensible defaults will be chosen based on the system OS.

whenOptional 
when: str
  • Type: str

If provided, specifies when Terraform will execute the command.

For example, when = destroy specifies that the provisioner will run when the associated resource is destroyed

working_dirOptional 
working_dir: str
  • Type: str

If provided, specifies the working directory where command will be executed.

It can be provided as a relative path to the current working directory or as an absolute path. The directory must exist.

OssAssumeRole

Initializer 

import cdktf

cdktf.OssAssumeRole(
  role_arn: str,
  policy: str = None,
  session_expiration: typing.Union[int, float] = None,
  session_name: str = None
)

Properties

NameTypeDescription
role_arnstrNo description.
policystrNo description.
session_expirationtyping.Union[int, float]No description.
session_namestrNo description.
role_arnRequired 
role_arn: str
  • Type: str
policyOptional 
policy: str
  • Type: str
session_expirationOptional 
session_expiration: typing.Union[int, float]
  • Type: typing.Union[int, float]
session_nameOptional 
session_name: str
  • Type: str

OssBackendConfig

Initializer 

import cdktf

cdktf.OssBackendConfig(
  bucket: str,
  access_key: str = None,
  acl: str = None,
  assume_role: OssAssumeRole = None,
  assume_role_policy: str = None,
  assume_role_role_arn: str = None,
  assume_role_session_expiration: typing.Union[int, float] = None,
  assume_role_session_name: str = None,
  ecs_role_name: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  key: str = None,
  prefix: str = None,
  profile: str = None,
  region: str = None,
  secret_key: str = None,
  security_token: str = None,
  shared_credentials_file: str = None,
  sts_endpoint: str = None,
  tablestore_endpoint: str = None,
  tablestore_table: str = None
)

Properties

NameTypeDescription
bucketstr(Required) The name of the OSS bucket.
access_keystr(Optional) Alibaba Cloud access key.
aclstr(Optional) Object ACL to be applied to the state file.
assume_roleOssAssumeRoleNo description.
assume_role_policystr(Optional, Available in 1.1.0+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.
assume_role_role_arnstr(Optional, Available in 1.1.0+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variable ALICLOUD_ASSUME_ROLE_ARN. Terraform executes configuration on account with provided credentials.
assume_role_session_expirationtyping.Union[int, float](Optional, Available in 1.1.0+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION.
assume_role_session_namestr(Optional, Available in 1.1.0+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_NAME.
ecs_role_namestr(Optional, Available in 0.12.14+) The RAM Role Name attached on a ECS instance for API operations. You can retrieve this from the 'Access Control' section of the Alibaba Cloud console.
encryptbool(Optional) Whether to enable server side encryption of the state file.
endpointstr(Optional) A custom endpoint for the OSS API.
keystr(Optional) The name of the state file.
prefixstr(Optional) The path directory of the state file will be stored.
profilestr(Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the ALICLOUD_PROFILE environment variable.
regionstr(Optional) The region of the OSS bucket.
secret_keystr(Optional) Alibaba Cloud secret access key.
security_tokenstr(Optional) STS access token.
shared_credentials_filestr(Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the ALICLOUD_SHARED_CREDENTIALS_FILE environment variable. If this is not set and a profile is specified, ~/.aliyun/config.json will be used.
sts_endpointstr(Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variable ALICLOUD_STS_ENDPOINT.
tablestore_endpointstr(Optional) A custom endpoint for the TableStore API.
tablestore_tablestr(Optional) A TableStore table for state locking and consistency.
bucketRequired 
bucket: str
  • Type: str

(Required) The name of the OSS bucket.

access_keyOptional 
access_key: str
  • Type: str

(Optional) Alibaba Cloud access key.

It supports environment variables ALICLOUD_ACCESS_KEY and ALICLOUD_ACCESS_KEY_ID.

aclOptional 
acl: str
  • Type: str

(Optional) Object ACL to be applied to the state file.

assume_roleOptional
  • Deprecated: Use flattened assume role options
assume_role: OssAssumeRole
assume_role_policyOptional 
assume_role_policy: str
  • Type: str

(Optional, Available in 1.1.0+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.

assume_role_role_arnOptional 
assume_role_role_arn: str
  • Type: str

(Optional, Available in 1.1.0+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variable ALICLOUD_ASSUME_ROLE_ARN. Terraform executes configuration on account with provided credentials.

assume_role_session_expirationOptional 
assume_role_session_expiration: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional, Available in 1.1.0+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION.

assume_role_session_nameOptional 
assume_role_session_name: str
  • Type: str

(Optional, Available in 1.1.0+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_NAME.

ecs_role_nameOptional 
ecs_role_name: str
  • Type: str

(Optional, Available in 0.12.14+) The RAM Role Name attached on a ECS instance for API operations. You can retrieve this from the 'Access Control' section of the Alibaba Cloud console.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Whether to enable server side encryption of the state file.

If it is true, OSS will use 'AES256' encryption algorithm to encrypt state file.

endpointOptional 
endpoint: str
  • Type: str

(Optional) A custom endpoint for the OSS API.

It supports environment variables ALICLOUD_OSS_ENDPOINT and OSS_ENDPOINT.

keyOptional 
key: str
  • Type: str

(Optional) The name of the state file.

Defaults to terraform.tfstate.

prefixOptional 
prefix: str
  • Type: str

(Optional) The path directory of the state file will be stored.

Default to "env:".

profileOptional 
profile: str
  • Type: str

(Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the ALICLOUD_PROFILE environment variable.

regionOptional 
region: str
  • Type: str

(Optional) The region of the OSS bucket.

It supports environment variables ALICLOUD_REGION and ALICLOUD_DEFAULT_REGION.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) Alibaba Cloud secret access key.

It supports environment variables ALICLOUD_SECRET_KEY and ALICLOUD_ACCESS_KEY_SECRET.

security_tokenOptional 
security_token: str
  • Type: str

(Optional) STS access token.

It supports environment variable ALICLOUD_SECURITY_TOKEN.

shared_credentials_fileOptional 
shared_credentials_file: str
  • Type: str

(Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the ALICLOUD_SHARED_CREDENTIALS_FILE environment variable. If this is not set and a profile is specified, ~/.aliyun/config.json will be used.

sts_endpointOptional 
sts_endpoint: str
  • Type: str

(Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variable ALICLOUD_STS_ENDPOINT.

tablestore_endpointOptional 
tablestore_endpoint: str
  • Type: str

(Optional) A custom endpoint for the TableStore API.

tablestore_tableOptional 
tablestore_table: str
  • Type: str

(Optional) A TableStore table for state locking and consistency.

The table must have a primary key named LockID of type String.

PgBackendConfig

Initializer 

import cdktf

cdktf.PgBackendConfig(
  conn_str: str,
  schema_name: str = None,
  skip_index_creation: bool = None,
  skip_schema_creation: bool = None,
  skip_table_creation: bool = None
)

Properties

NameTypeDescription
conn_strstrPostgres connection string;
schema_namestrName of the automatically-managed Postgres schema, default to terraform_remote_state.
skip_index_creationboolIf set to true, the Postgres index must already exist.
skip_schema_creationboolIf set to true, the Postgres schema must already exist.
skip_table_creationboolIf set to true, the Postgres table must already exist.
conn_strRequired 
conn_str: str
  • Type: str

Postgres connection string;

a postgres:// URL. The PG_CONN_STR and standard libpq environment variables can also be used to indicate how to connect to the PostgreSQL database.

schema_nameOptional 
schema_name: str
  • Type: str

Name of the automatically-managed Postgres schema, default to terraform_remote_state.

Can also be set using the PG_SCHEMA_NAME environment variable.

skip_index_creationOptional 
skip_index_creation: bool
  • Type: bool

If set to true, the Postgres index must already exist.

Can also be set using the PG_SKIP_INDEX_CREATION environment variable. Terraform won't try to create the index, this is useful when it has already been created by a database administrator.

skip_schema_creationOptional 
skip_schema_creation: bool
  • Type: bool

If set to true, the Postgres schema must already exist.

Can also be set using the PG_SKIP_SCHEMA_CREATION environment variable. Terraform won't try to create the schema, this is useful when it has already been created by a database administrator.

skip_table_creationOptional 
skip_table_creation: bool
  • Type: bool

If set to true, the Postgres table must already exist.

Can also be set using the PG_SKIP_TABLE_CREATION environment variable. Terraform won't try to create the table, this is useful when it has already been created by a database administrator.

Postcondition

Terraform checks a postcondition after evaluating the object it is associated with.

Initializer 

import cdktf

cdktf.Postcondition(
  condition: typing.Any,
  error_message: str
)

Properties

NameTypeDescription
conditiontyping.AnyThis is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.
error_messagestrThis contains the text that Terraform will include as part of error messages when it detects an unmet condition.
conditionRequired 
condition: typing.Any
  • Type: typing.Any

This is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.

error_messageRequired 
error_message: str
  • Type: str

This contains the text that Terraform will include as part of error messages when it detects an unmet condition.

Precondition

Terraform checks a precondition before evaluating the object it is associated with.

Initializer 

import cdktf

cdktf.Precondition(
  condition: typing.Any,
  error_message: str
)

Properties

NameTypeDescription
conditiontyping.AnyThis is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.
error_messagestrThis contains the text that Terraform will include as part of error messages when it detects an unmet condition.
conditionRequired 
condition: typing.Any
  • Type: typing.Any

This is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.

error_messageRequired 
error_message: str
  • Type: str

This contains the text that Terraform will include as part of error messages when it detects an unmet condition.

RemoteBackendConfig

Initializer 

import cdktf

cdktf.RemoteBackendConfig(
  organization: str,
  workspaces: IRemoteWorkspace,
  hostname: str = None,
  token: str = None
)

Properties

NameTypeDescription
organizationstrNo description.
workspacesIRemoteWorkspaceNo description.
hostnamestrNo description.
tokenstrNo description.
organizationRequired 
organization: str
  • Type: str
workspacesRequired 
workspaces: IRemoteWorkspace
hostnameOptional 
hostname: str
  • Type: str
tokenOptional 
token: str
  • Type: str

RemoteExecProvisioner

The remote-exec provisioner invokes a script on a remote resource after it is created.

This can be used to run a configuration management tool, bootstrap into a cluster, etc The remote-exec provisioner requires a connection and supports both ssh and winrm.

See {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec remote-exec}

Initializer 

import cdktf

cdktf.RemoteExecProvisioner(
  type: str,
  connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection] = None,
  inline: typing.List[str] = None,
  script: str = None,
  scripts: typing.List[str] = None
)

Properties

NameTypeDescription
typestrNo description.
connectiontyping.Union[SSHProvisionerConnection, WinrmProvisionerConnection]Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.
inlinetyping.List[str]This is a list of command strings.
scriptstrThis is a path (relative or absolute) to a local script that will be copied to the remote resource and then executed.
scriptstyping.List[str]This is a list of paths (relative or absolute) to local scripts that will be copied to the remote resource and then executed.
typeRequired 
type: str
  • Type: str
connectionOptional 
connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection]

Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.

A connection must be provided here or in the parent resource.

inlineOptional 
inline: typing.List[str]
  • Type: typing.List[str]

This is a list of command strings.

They are executed in the order they are provided. This cannot be provided with script or scripts.

scriptOptional 
script: str
  • Type: str

This is a path (relative or absolute) to a local script that will be copied to the remote resource and then executed.

This cannot be provided with inline or scripts.

scriptsOptional 
scripts: typing.List[str]
  • Type: typing.List[str]

This is a list of paths (relative or absolute) to local scripts that will be copied to the remote resource and then executed.

They are executed in the order they are provided. This cannot be provided with inline or script.

ResolveOptions

Options to the resolve() operation.

NOT the same as the ResolveContext; ResolveContext is exposed to Token implementors and resolution hooks, whereas this struct is just to bundle a number of things that would otherwise be arguments to resolve() in a readable way.

Initializer 

import cdktf

cdktf.ResolveOptions(
  resolver: ITokenResolver,
  scope: IConstruct,
  preparing: bool = None
)

Properties

NameTypeDescription
resolverITokenResolverThe resolver to apply to any resolvable tokens found.
scopeconstructs.IConstructThe scope from which resolution is performed.
preparingboolWhether the resolution is being executed during the prepare phase or not.
resolverRequired 
resolver: ITokenResolver

The resolver to apply to any resolvable tokens found.

scopeRequired 
scope: IConstruct
  • Type: constructs.IConstruct

The scope from which resolution is performed.

preparingOptional 
preparing: bool
  • Type: bool
  • Default: false

Whether the resolution is being executed during the prepare phase or not.

S3BackendAssumeRoleConfig

Initializer 

import cdktf

cdktf.S3BackendAssumeRoleConfig(
  role_arn: str,
  duration: str = None,
  external_id: str = None,
  policy: str = None,
  policy_arns: typing.List[str] = None,
  session_name: str = None,
  source_identity: str = None,
  tags: typing.Mapping[str] = None,
  transitive_tag_keys: typing.List[str] = None
)

Properties

NameTypeDescription
role_arnstr(Required) Amazon Resource Name (ARN) of the IAM Role to assume.
durationstr(Optional) The duration individual credentials will be valid.
external_idstr(Optional) External identifier to use when assuming the role.
policystr(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
policy_arnstyping.List[str](Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
session_namestr(Optional) Session name to use when assuming the role.
source_identitystr(Optional) Source identity specified by the principal assuming the.
tagstyping.Mapping[str](Optional) Map of assume role session tags.
transitive_tag_keystyping.List[str](Optional) Set of assume role session tag keys to pass to any subsequent sessions.
role_arnRequired 
role_arn: str
  • Type: str

(Required) Amazon Resource Name (ARN) of the IAM Role to assume.

durationOptional 
duration: str
  • Type: str

(Optional) The duration individual credentials will be valid.

Credentials are automatically renewed up to the maximum defined by the AWS account. Specified using the format < hours >h< minutes >m< seconds >s with any unit being optional. For example, an hour and a half can be specified as 1h30m or 90m. Must be between 15 minutes (15m) and 12 hours (12h).

external_idOptional 
external_id: str
  • Type: str

(Optional) External identifier to use when assuming the role.

policyOptional 
policy: str
  • Type: str

(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

policy_arnsOptional 
policy_arns: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

session_nameOptional 
session_name: str
  • Type: str

(Optional) Session name to use when assuming the role.

source_identityOptional 
source_identity: str
  • Type: str

(Optional) Source identity specified by the principal assuming the.

tagsOptional 
tags: typing.Mapping[str]
  • Type: typing.Mapping[str]

(Optional) Map of assume role session tags.

transitive_tag_keysOptional 
transitive_tag_keys: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of assume role session tag keys to pass to any subsequent sessions.

S3BackendAssumeRoleWithWebIdentityConfig

Initializer 

import cdktf

cdktf.S3BackendAssumeRoleWithWebIdentityConfig(
  duration: str = None,
  policy: str = None,
  policy_arns: typing.List[str] = None,
  role_arn: str = None,
  session_name: str = None,
  web_identity_token: str = None,
  web_identity_token_file: str = None
)

Properties

NameTypeDescription
durationstr(Optional) The duration individual credentials will be valid.
policystr(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
policy_arnstyping.List[str](Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
role_arnstr(Required) Amazon Resource Name (ARN) of the IAM Role to assume.
session_namestr(Optional) Session name to use when assuming the role.
web_identity_tokenstr(Optional) The value of a web identity token from an OpenID Connect (OIDC) or OAuth provider.
web_identity_token_filestr(Optional) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider.
durationOptional 
duration: str
  • Type: str

(Optional) The duration individual credentials will be valid.

Credentials are automatically renewed up to the maximum defined by the AWS account. Specified using the format < hours >h< minutes >m< seconds >s with any unit being optional. For example, an hour and a half can be specified as 1h30m or 90m. Must be between 15 minutes (15m) and 12 hours (12h).

policyOptional 
policy: str
  • Type: str

(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

policy_arnsOptional 
policy_arns: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

role_arnOptional 
role_arn: str
  • Type: str

(Required) Amazon Resource Name (ARN) of the IAM Role to assume.

Can also be set with the AWS_ROLE_ARN environment variable.

session_nameOptional 
session_name: str
  • Type: str

(Optional) Session name to use when assuming the role.

Can also be set with the AWS_ROLE_SESSION_NAME environment variable.

web_identity_tokenOptional 
web_identity_token: str
  • Type: str

(Optional) The value of a web identity token from an OpenID Connect (OIDC) or OAuth provider.

One of web_identity_token or web_identity_token_file is required.

web_identity_token_fileOptional 
web_identity_token_file: str
  • Type: str

(Optional) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider.

One of web_identity_token_file or web_identity_token is required. Can also be set with the AWS_WEB_IDENTITY_TOKEN_FILE environment variable.

S3BackendConfig

Stores the state as a given key in a given bucket on Amazon S3.

This backend also supports state locking and consistency checking via Dynamo DB, which can be enabled by setting the dynamodb_table field to an existing DynamoDB table name. A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the bucket and key variables.

Warning! It is highly recommended that you enable Bucket Versioning on the S3 bucket to allow for state recovery in the case of accidental deletions and human error.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/s3

Initializer 

import cdktf

cdktf.S3BackendConfig(
  bucket: str,
  key: str,
  access_key: str = None,
  acl: str = None,
  allowed_account_ids: typing.List[str] = None,
  assume_role: S3BackendAssumeRoleConfig = None,
  assume_role_policy: str = None,
  assume_role_policy_arns: typing.List[str] = None,
  assume_role_tags: typing.Mapping[str] = None,
  assume_role_transitive_tag_keys: typing.List[str] = None,
  assume_role_with_web_identity: S3BackendAssumeRoleWithWebIdentityConfig = None,
  custom_ca_bundle: str = None,
  dynamodb_endpoint: str = None,
  dynamodb_table: str = None,
  ec2_metadata_service_endpoint: str = None,
  ec2_metadata_service_endpoint_mode: str = None,
  encrypt: bool = None,
  endpoint: str = None,
  endpoints: S3BackendEndpointConfig = None,
  external_id: str = None,
  forbidden_account_ids: typing.List[str] = None,
  force_path_style: bool = None,
  http_proxy: str = None,
  https_proxy: str = None,
  iam_endpoint: str = None,
  insecure: bool = None,
  kms_key_id: str = None,
  max_retries: typing.Union[int, float] = None,
  no_proxy: str = None,
  profile: str = None,
  region: str = None,
  retry_mode: str = None,
  role_arn: str = None,
  secret_key: str = None,
  session_name: str = None,
  shared_config_files: typing.List[str] = None,
  shared_credentials_file: str = None,
  shared_credentials_files: typing.List[str] = None,
  skip_credentials_validation: bool = None,
  skip_metadata_api_check: bool = None,
  skip_region_validation: bool = None,
  skip_requesting_account_id: bool = None,
  skip_s3_checksum: bool = None,
  sse_customer_key: str = None,
  sts_endpoint: str = None,
  sts_region: str = None,
  token: str = None,
  use_legacy_workflow: bool = None,
  use_path_style: bool = None,
  workspace_key_prefix: str = None
)

Properties

NameTypeDescription
bucketstrName of the S3 Bucket.
keystrPath to the state file inside the S3 Bucket.
access_keystr(Optional) AWS access key.
aclstr(Optional) Canned ACL to be applied to the state file.
allowed_account_idstyping.List[str](Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.
assume_roleS3BackendAssumeRoleConfigAssuming an IAM Role can be configured in two ways.
assume_role_policystr(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
assume_role_policy_arnstyping.List[str](Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
assume_role_tagstyping.Mapping[str](Optional) Map of assume role session tags.
assume_role_transitive_tag_keystyping.List[str](Optional) Set of assume role session tag keys to pass to any subsequent sessions.
assume_role_with_web_identityS3BackendAssumeRoleWithWebIdentityConfigAssume Role With Web Identity Configuration.
custom_ca_bundlestr(Optional) File containing custom root and intermediate certificates.
dynamodb_endpointstr(Optional) Custom endpoint for the AWS DynamoDB API.
dynamodb_tablestr(Optional) Name of DynamoDB Table to use for state locking and consistency.
ec2_metadata_service_endpointstrOptional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.
ec2_metadata_service_endpoint_modestr(Optional) Mode to use in communicating with the metadata service.
encryptbool(Optional) Enable server side encryption of the state file.
endpointstr(Optional) Custom endpoint for the AWS S3 API.
endpointsS3BackendEndpointConfig(Optional) The endpoint configuration block.
external_idstr(Optional) External identifier to use when assuming the role.
forbidden_account_idstyping.List[str](Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.
force_path_stylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
http_proxystr(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.
https_proxystr(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.
iam_endpointstr(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.
insecureboolOptional) Whether to explicitly allow the backend to perform "insecure" SSL requests.
kms_key_idstr(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.
max_retriestyping.Union[int, float](Optional) The maximum number of times an AWS API request is retried on retryable failure.
no_proxystr(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.
profilestr(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.
regionstrAWS Region of the S3 Bucket and DynamoDB Table (if used).
retry_modestr(Optional) Specifies how retries are attempted.
role_arnstr(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
secret_keystr(Optional) AWS secret access key.
session_namestr(Optional) Session name to use when assuming the role.
shared_config_filestyping.List[str](Optional) List of paths to AWS shared configuration files.
shared_credentials_filestr(Optional) Path to the AWS shared credentials file.
shared_credentials_filestyping.List[str](Optional) List of paths to AWS shared credentials files.
skip_credentials_validationbool(Optional) Skip credentials validation via the STS API.
skip_metadata_api_checkbool(Optional) Skip usage of EC2 Metadata API.
skip_region_validationbool(Optional) Skip validation of provided region name.
skip_requesting_account_idbool(Optional) Whether to skip requesting the account ID.
skip_s3_checksumbool(Optional) Do not include checksum when uploading S3 Objects.
sse_customer_keystr(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).
sts_endpointstr(Optional) Custom endpoint for the AWS Security Token Service (STS) API.
sts_regionstr(Optional) AWS region for STS.
tokenstr(Optional) Multi-Factor Authentication (MFA) token.
use_legacy_workflowbool(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.
use_path_stylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
workspace_key_prefixstr(Optional) Prefix applied to the state path inside the bucket.
bucketRequired 
bucket: str
  • Type: str

Name of the S3 Bucket.

keyRequired 
key: str
  • Type: str

Path to the state file inside the S3 Bucket.

When using a non-default workspace, the state path will be /workspace_key_prefix/workspace_name/key

access_keyOptional 
access_key: str
  • Type: str

(Optional) AWS access key.

If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).

aclOptional 
acl: str
  • Type: str

(Optional) Canned ACL to be applied to the state file.

allowed_account_idsOptional 
allowed_account_ids: typing.List[str]
  • Type: typing.List[str]

(Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.

Conflicts with forbidden_account_ids.

assume_roleOptional 
assume_role: S3BackendAssumeRoleConfig

Assuming an IAM Role can be configured in two ways.

The preferred way is to use the argument assume_role, the other, which is deprecated, is with arguments at the top level.

assume_role_policyOptional
  • Deprecated: Use assumeRole.policy instead.
assume_role_policy: str
  • Type: str

(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

assume_role_policy_arnsOptional
  • Deprecated: Use assumeRole.policyArns instead.
assume_role_policy_arns: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

assume_role_tagsOptional
  • Deprecated: Use assumeRole.tags instead.
assume_role_tags: typing.Mapping[str]
  • Type: typing.Mapping[str]

(Optional) Map of assume role session tags.

assume_role_transitive_tag_keysOptional
  • Deprecated: Use assumeRole.transitiveTagKeys instead.
assume_role_transitive_tag_keys: typing.List[str]
  • Type: typing.List[str]

(Optional) Set of assume role session tag keys to pass to any subsequent sessions.

assume_role_with_web_identityOptional 
assume_role_with_web_identity: S3BackendAssumeRoleWithWebIdentityConfig

Assume Role With Web Identity Configuration.

custom_ca_bundleOptional 
custom_ca_bundle: str
  • Type: str

(Optional) File containing custom root and intermediate certificates.

Can also be set using the AWS_CA_BUNDLE environment variable. Setting ca_bundle in the shared config file is not supported.

dynamodb_endpointOptional
  • Deprecated: Use endpoints.dynamodb instead
dynamodb_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS DynamoDB API.

This can also be sourced from the AWS_DYNAMODB_ENDPOINT environment variable.

dynamodb_tableOptional 
dynamodb_table: str
  • Type: str

(Optional) Name of DynamoDB Table to use for state locking and consistency.

The table must have a partition key named LockID with type of String. If not configured, state locking will be disabled.

ec2_metadata_service_endpointOptional 
ec2_metadata_service_endpoint: str
  • Type: str

Optional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.

Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

ec2_metadata_service_endpoint_modeOptional 
ec2_metadata_service_endpoint_mode: str
  • Type: str

(Optional) Mode to use in communicating with the metadata service.

Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.

encryptOptional 
encrypt: bool
  • Type: bool

(Optional) Enable server side encryption of the state file.

endpointOptional
  • Deprecated: Use endpoints.s3 instead
endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS S3 API.

This can also be sourced from the AWS_S3_ENDPOINT environment variable.

endpointsOptional 
endpoints: S3BackendEndpointConfig

(Optional) The endpoint configuration block.

external_idOptional
  • Deprecated: Use assume_role.external_id instead.
external_id: str
  • Type: str

(Optional) External identifier to use when assuming the role.

forbidden_account_idsOptional 
forbidden_account_ids: typing.List[str]
  • Type: typing.List[str]

(Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.

Conflicts with allowed_account_ids.

force_path_styleOptional
  • Deprecated: Use usePathStyle instead
force_path_style: bool
  • Type: bool

(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

http_proxyOptional 
http_proxy: str
  • Type: str

(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.

Can also be set using the HTTP_PROXY or http_proxy environment variables.

https_proxyOptional 
https_proxy: str
  • Type: str

(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.

Can also be set using the HTTPS_PROXY or https_proxy environment variables.

iam_endpointOptional
  • Deprecated: Use endpoints.iam instead
iam_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.

This can also be sourced from the AWS_IAM_ENDPOINT environment variable.

insecureOptional 
insecure: bool
  • Type: bool

Optional) Whether to explicitly allow the backend to perform "insecure" SSL requests.

If omitted, the default value is false.

kms_key_idOptional 
kms_key_id: str
  • Type: str

(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.

Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.

max_retriesOptional 
max_retries: typing.Union[int, float]
  • Type: typing.Union[int, float]

(Optional) The maximum number of times an AWS API request is retried on retryable failure.

Defaults to 5.

no_proxyOptional 
no_proxy: str
  • Type: str

(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.

Each value can be one of:

  • A domain name
  • An IP address
  • A CIDR address
  • An asterisk (*), to indicate that no proxying should be performed Domain name and IP address values can also include a port number. Can also be set using the NO_PROXY or no_proxy environment variables.
profileOptional 
profile: str
  • Type: str

(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.

regionOptional 
region: str
  • Type: str

AWS Region of the S3 Bucket and DynamoDB Table (if used).

This can also be sourced from the AWS_DEFAULT_REGION and AWS_REGION environment variables.

retry_modeOptional 
retry_mode: str
  • Type: str

(Optional) Specifies how retries are attempted.

Valid values are standard and adaptive. Can also be configured using the AWS_RETRY_MODE environment variable or the shared config file parameter retry_mode.

role_arnOptional
  • Deprecated: Use assumeRole.roleArn instead.
role_arn: str
  • Type: str

(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.

secret_keyOptional 
secret_key: str
  • Type: str

(Optional) AWS secret access key.

If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config)

session_nameOptional
  • Deprecated: Use assumeRole.sessionName instead.
session_name: str
  • Type: str

(Optional) Session name to use when assuming the role.

shared_config_filesOptional 
shared_config_files: typing.List[str]
  • Type: typing.List[str]

(Optional) List of paths to AWS shared configuration files.

Defaults to ~/.aws/config.

shared_credentials_fileOptional 
shared_credentials_file: str
  • Type: str

(Optional) Path to the AWS shared credentials file.

Defaults to ~/.aws/credentials.

shared_credentials_filesOptional 
shared_credentials_files: typing.List[str]
  • Type: typing.List[str]

(Optional) List of paths to AWS shared credentials files.

Defaults to ~/.aws/credentials.

skip_credentials_validationOptional 
skip_credentials_validation: bool
  • Type: bool

(Optional) Skip credentials validation via the STS API.

skip_metadata_api_checkOptional 
skip_metadata_api_check: bool
  • Type: bool

(Optional) Skip usage of EC2 Metadata API.

skip_region_validationOptional 
skip_region_validation: bool
  • Type: bool

(Optional) Skip validation of provided region name.

skip_requesting_account_idOptional 
skip_requesting_account_id: bool
  • Type: bool

(Optional) Whether to skip requesting the account ID.

Useful for AWS API implementations that do not have the IAM, STS API, or metadata API.

skip_s3_checksumOptional 
skip_s3_checksum: bool
  • Type: bool

(Optional) Do not include checksum when uploading S3 Objects.

Useful for some S3-Compatible APIs.

sse_customer_keyOptional 
sse_customer_key: str
  • Type: str

(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).

This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the AWS_SSE_CUSTOMER_KEY environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in terraform.tfstate.

sts_endpointOptional
  • Deprecated: Use endpoints.sts instead
sts_endpoint: str
  • Type: str

(Optional) Custom endpoint for the AWS Security Token Service (STS) API.

This can also be sourced from the AWS_STS_ENDPOINT environment variable.

sts_regionOptional 
sts_region: str
  • Type: str

(Optional) AWS region for STS.

If unset, AWS will use the same region for STS as other non-STS operations.

tokenOptional 
token: str
  • Type: str

(Optional) Multi-Factor Authentication (MFA) token.

This can also be sourced from the AWS_SESSION_TOKEN environment variable.

use_legacy_workflowOptional 
use_legacy_workflow: bool
  • Type: bool

(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.

Defaults to true. This behavior does not align with the authentication flow of the AWS CLI or SDK's, and will be removed in the future.

use_path_styleOptional 
use_path_style: bool
  • Type: bool

(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

workspace_key_prefixOptional 
workspace_key_prefix: str
  • Type: str

(Optional) Prefix applied to the state path inside the bucket.

This is only relevant when using a non-default workspace. Defaults to env:

S3BackendEndpointConfig

Initializer 

import cdktf

cdktf.S3BackendEndpointConfig(
  dynamodb: str = None,
  iam: str = None,
  s3: str = None,
  sso: str = None,
  sts: str = None
)

Properties

NameTypeDescription
dynamodbstr(Optional) Custom endpoint URL for the AWS DynamoDB API.
iamstr(Optional) Custom endpoint URL for the AWS IAM API.
s3str(Optional) Custom endpoint URL for the AWS S3 API.
ssostr(Optional) Custom endpoint URL for the AWS IAM Identity Center (formerly known as AWS SSO) API.
stsstr(Optional) Custom endpoint URL for the AWS STS API.
dynamodbOptional 
dynamodb: str
  • Type: str

(Optional) Custom endpoint URL for the AWS DynamoDB API.

This can also be sourced from the environment variable AWS_ENDPOINT_URL_DYNAMODB or the deprecated environment variable AWS_DYNAMODB_ENDPOINT.

iamOptional 
iam: str
  • Type: str

(Optional) Custom endpoint URL for the AWS IAM API.

This can also be sourced from the environment variable AWS_ENDPOINT_URL_IAM or the deprecated environment variable AWS_IAM_ENDPOINT.

s3Optional 
s3: str
  • Type: str

(Optional) Custom endpoint URL for the AWS S3 API.

This can also be sourced from the environment variable AWS_ENDPOINT_URL_S3 or the deprecated environment variable AWS_S3_ENDPOINT.

ssoOptional 
sso: str
  • Type: str

(Optional) Custom endpoint URL for the AWS IAM Identity Center (formerly known as AWS SSO) API.

This can also be sourced from the environment variable AWS_ENDPOINT_URL_SSO.

stsOptional 
sts: str
  • Type: str

(Optional) Custom endpoint URL for the AWS STS API.

This can also be sourced from the environment variable AWS_ENDPOINT_URL_STS or the deprecated environment variable AWS_STS_ENDPOINT.

SSHProvisionerConnection

Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.

Refer to {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/connection connection}

Initializer 

import cdktf

cdktf.SSHProvisionerConnection(
  host: str,
  type: str,
  agent: str = None,
  agent_identity: str = None,
  bastion_certificate: str = None,
  bastion_host: str = None,
  bastion_host_key: str = None,
  bastion_password: str = None,
  bastion_port: typing.Union[int, float] = None,
  bastion_private_key: str = None,
  bastion_user: str = None,
  certificate: str = None,
  host_key: str = None,
  password: str = None,
  port: typing.Union[int, float] = None,
  private_key: str = None,
  proxy_host: str = None,
  proxy_port: typing.Union[int, float] = None,
  proxy_scheme: str = None,
  proxy_user_name: str = None,
  proxy_user_password: str = None,
  script_path: str = None,
  target_platform: str = None,
  timeout: str = None,
  user: str = None
)

Properties

NameTypeDescription
hoststrThe address of the resource to connect to.
typestrThe connection type.
agentstrSet to false to disable using ssh-agent to authenticate.
agent_identitystrThe preferred identity from the ssh agent for authentication.
bastion_certificatestrThe contents of a signed CA Certificate.
bastion_hoststrSetting this enables the bastion Host connection.
bastion_host_keystrThe public key from the remote host or the signing CA, used to verify the host connection.
bastion_passwordstrThe password to use for the bastion host.
bastion_porttyping.Union[int, float]The port to use connect to the bastion host.
bastion_private_keystrThe contents of an SSH key file to use for the bastion host.
bastion_userstrThe user for the connection to the bastion host.
certificatestrThe contents of a signed CA Certificate.
host_keystrThe public key from the remote host or the signing CA, used to verify the connection.
passwordstrThe password to use for the connection.
porttyping.Union[int, float]The port to connect to.
private_keystrThe contents of an SSH key to use for the connection.
proxy_hoststrSetting this enables the SSH over HTTP connection.
proxy_porttyping.Union[int, float]The port to use connect to the proxy host.
proxy_schemestrThe ssh connection also supports the following fields to facilitate connections by SSH over HTTP proxy.
proxy_user_namestrThe username to use connect to the private proxy host.
proxy_user_passwordstrThe password to use connect to the private proxy host.
script_pathstrThe path used to copy scripts meant for remote execution.
target_platformstrThe target platform to connect to.
timeoutstrThe timeout to wait for the connection to become available.
userstrThe user to use for the connection.
hostRequired 
host: str
  • Type: str

The address of the resource to connect to.

typeRequired 
type: str
  • Type: str

The connection type.

Valid values are "ssh" and "winrm". Provisioners typically assume that the remote system runs Microsoft Windows when using WinRM. Behaviors based on the SSH target_platform will force Windows-specific behavior for WinRM, unless otherwise specified.

agentOptional 
agent: str
  • Type: str

Set to false to disable using ssh-agent to authenticate.

On Windows the only supported SSH authentication agent is Pageant.

agent_identityOptional 
agent_identity: str
  • Type: str

The preferred identity from the ssh agent for authentication.

bastion_certificateOptional 
bastion_certificate: str
  • Type: str

The contents of a signed CA Certificate.

The certificate argument must be used in conjunction with a bastion_private_key. These can be loaded from a file on disk using the the file function.

bastion_hostOptional 
bastion_host: str
  • Type: str

Setting this enables the bastion Host connection.

The provisioner will connect to bastion_host first, and then connect from there to host.

bastion_host_keyOptional 
bastion_host_key: str
  • Type: str

The public key from the remote host or the signing CA, used to verify the host connection.

bastion_passwordOptional 
bastion_password: str
  • Type: str

The password to use for the bastion host.

bastion_portOptional 
bastion_port: typing.Union[int, float]
  • Type: typing.Union[int, float]

The port to use connect to the bastion host.

bastion_private_keyOptional 
bastion_private_key: str
  • Type: str

The contents of an SSH key file to use for the bastion host.

These can be loaded from a file on disk using the file function.

bastion_userOptional 
bastion_user: str
  • Type: str

The user for the connection to the bastion host.

certificateOptional 
certificate: str
  • Type: str

The contents of a signed CA Certificate.

The certificate argument must be used in conjunction with a private_key. These can be loaded from a file on disk using the the file function.

host_keyOptional 
host_key: str
  • Type: str

The public key from the remote host or the signing CA, used to verify the connection.

passwordOptional 
password: str
  • Type: str

The password to use for the connection.

portOptional 
port: typing.Union[int, float]
  • Type: typing.Union[int, float]
  • Default: 22

The port to connect to.

private_keyOptional 
private_key: str
  • Type: str

The contents of an SSH key to use for the connection.

These can be loaded from a file on disk using the file function. This takes preference over password if provided.

proxy_hostOptional 
proxy_host: str
  • Type: str

Setting this enables the SSH over HTTP connection.

This host will be connected to first, and then the host or bastion_host connection will be made from there.

proxy_portOptional 
proxy_port: typing.Union[int, float]
  • Type: typing.Union[int, float]

The port to use connect to the proxy host.

proxy_schemeOptional 
proxy_scheme: str
  • Type: str

The ssh connection also supports the following fields to facilitate connections by SSH over HTTP proxy.

proxy_user_nameOptional 
proxy_user_name: str
  • Type: str

The username to use connect to the private proxy host.

This argument should be specified only if authentication is required for the HTTP Proxy server.

proxy_user_passwordOptional 
proxy_user_password: str
  • Type: str

The password to use connect to the private proxy host.

This argument should be specified only if authentication is required for the HTTP Proxy server.

script_pathOptional 
script_path: str
  • Type: str

The path used to copy scripts meant for remote execution.

Refer to {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/connection#how-provisioners-execute-remote-scripts How Provisioners Execute Remote Scripts below for more details}

target_platformOptional 
target_platform: str
  • Type: str
  • Default: unix

The target platform to connect to.

Valid values are "windows" and "unix". If the platform is set to windows, the default scriptpath is c:\windows\temp\terraform%RAND%.cmd, assuming the SSH default shell is cmd.exe. If the SSH default shell is PowerShell, set scriptpath to "c:/windows/temp/terraform%RAND%.ps1"

timeoutOptional 
timeout: str
  • Type: str
  • Default: 5m

The timeout to wait for the connection to become available.

Should be provided as a string (e.g., "30s" or "5m".)

userOptional 
user: str
  • Type: str
  • Default: root

The user to use for the connection.

StackAnnotation

Initializer 

import cdktf

cdktf.StackAnnotation(
  construct_path: str,
  level: AnnotationMetadataEntryType,
  message: str,
  stacktrace: typing.List[str] = None
)

Properties

NameTypeDescription
construct_pathstrNo description.
levelAnnotationMetadataEntryTypeNo description.
messagestrNo description.
stacktracetyping.List[str]No description.
construct_pathRequired 
construct_path: str
  • Type: str
levelRequired 
level: AnnotationMetadataEntryType
messageRequired 
message: str
  • Type: str
stacktraceOptional 
stacktrace: typing.List[str]
  • Type: typing.List[str]

StackManifest

Initializer 

import cdktf

cdktf.StackManifest(
  annotations: typing.List[StackAnnotation],
  construct_path: str,
  dependencies: typing.List[str],
  name: str,
  stack_metadata_path: str,
  synthesized_stack_path: str,
  working_directory: str
)

Properties

NameTypeDescription
annotationstyping.List[StackAnnotation]No description.
construct_pathstrNo description.
dependenciestyping.List[str]No description.
namestrNo description.
stack_metadata_pathstrNo description.
synthesized_stack_pathstrNo description.
working_directorystrNo description.
annotationsRequired 
annotations: typing.List[StackAnnotation]
construct_pathRequired 
construct_path: str
  • Type: str
dependenciesRequired 
dependencies: typing.List[str]
  • Type: typing.List[str]
nameRequired 
name: str
  • Type: str
stack_metadata_pathRequired 
stack_metadata_path: str
  • Type: str
synthesized_stack_pathRequired 
synthesized_stack_path: str
  • Type: str
working_directoryRequired 
working_directory: str
  • Type: str

SwiftBackendConfig

Initializer 

import cdktf

cdktf.SwiftBackendConfig(
  container: str,
  application_credential_id: str = None,
  application_credential_name: str = None,
  application_credential_secret: str = None,
  archive_container: str = None,
  auth_url: str = None,
  cacert_file: str = None,
  cert: str = None,
  cloud: str = None,
  default_domain: str = None,
  domain_id: str = None,
  domain_name: str = None,
  expire_after: str = None,
  insecure: bool = None,
  key: str = None,
  password: str = None,
  project_domain_id: str = None,
  project_domain_name: str = None,
  region_name: str = None,
  state_name: str = None,
  tenant_id: str = None,
  tenant_name: str = None,
  token: str = None,
  user_domain_id: str = None,
  user_domain_name: str = None,
  user_id: str = None,
  user_name: str = None
)

Properties

NameTypeDescription
containerstrNo description.
application_credential_idstrNo description.
application_credential_namestrNo description.
application_credential_secretstrNo description.
archive_containerstrNo description.
auth_urlstrNo description.
cacert_filestrNo description.
certstrNo description.
cloudstrNo description.
default_domainstrNo description.
domain_idstrNo description.
domain_namestrNo description.
expire_afterstrNo description.
insecureboolNo description.
keystrNo description.
passwordstrNo description.
project_domain_idstrNo description.
project_domain_namestrNo description.
region_namestrNo description.
state_namestrNo description.
tenant_idstrNo description.
tenant_namestrNo description.
tokenstrNo description.
user_domain_idstrNo description.
user_domain_namestrNo description.
user_idstrNo description.
user_namestrNo description.
containerRequired
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
container: str
  • Type: str
application_credential_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_id: str
  • Type: str
application_credential_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_name: str
  • Type: str
application_credential_secretOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
application_credential_secret: str
  • Type: str
archive_containerOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
archive_container: str
  • Type: str
auth_urlOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
auth_url: str
  • Type: str
cacert_fileOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cacert_file: str
  • Type: str
certOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cert: str
  • Type: str
cloudOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
cloud: str
  • Type: str
default_domainOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
default_domain: str
  • Type: str
domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
domain_id: str
  • Type: str
domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
domain_name: str
  • Type: str
expire_afterOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
expire_after: str
  • Type: str
insecureOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
insecure: bool
  • Type: bool
keyOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
key: str
  • Type: str
passwordOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
password: str
  • Type: str
project_domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
project_domain_id: str
  • Type: str
project_domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
project_domain_name: str
  • Type: str
region_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
region_name: str
  • Type: str
state_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
state_name: str
  • Type: str
tenant_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
tenant_id: str
  • Type: str
tenant_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
tenant_name: str
  • Type: str
tokenOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
token: str
  • Type: str
user_domain_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_domain_id: str
  • Type: str
user_domain_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_domain_name: str
  • Type: str
user_idOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_id: str
  • Type: str
user_nameOptional
  • Deprecated: CDK for Terraform no longer supports the swift backend. Terraform deprecated swift in v1.2.3 and removed it in v1.3.
user_name: str
  • Type: str

TerraformAssetConfig

Initializer 

import cdktf

cdktf.TerraformAssetConfig(
  path: str,
  asset_hash: str = None,
  type: AssetType = None
)

Properties

NameTypeDescription
pathstrNo description.
asset_hashstrNo description.
typeAssetTypeNo description.
pathRequired 
path: str
  • Type: str
asset_hashOptional 
asset_hash: str
  • Type: str
typeOptional 
type: AssetType

TerraformCondition

Initializer 

import cdktf

cdktf.TerraformCondition(
  condition: typing.Any,
  error_message: str
)

Properties

NameTypeDescription
conditiontyping.AnyThis is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.
error_messagestrThis contains the text that Terraform will include as part of error messages when it detects an unmet condition.
conditionRequired 
condition: typing.Any
  • Type: typing.Any

This is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.

error_messageRequired 
error_message: str
  • Type: str

This contains the text that Terraform will include as part of error messages when it detects an unmet condition.

TerraformConstructor

Initializer 

from cdktf import testing_matchers

testingMatchers.TerraformConstructor(
  tf_resource_type: str
)

Properties

NameTypeDescription
tf_resource_typestrNo description.
tf_resource_typeRequired 
tf_resource_type: str
  • Type: str

TerraformElementMetadata

Initializer 

import cdktf

cdktf.TerraformElementMetadata(
  path: str,
  stack_trace: typing.List[str],
  unique_id: str
)

Properties

NameTypeDescription
pathstrNo description.
stack_tracetyping.List[str]No description.
unique_idstrNo description.
pathRequired 
path: str
  • Type: str
stack_traceRequired 
stack_trace: typing.List[str]
  • Type: typing.List[str]
unique_idRequired 
unique_id: str
  • Type: str

TerraformHclModuleConfig

Initializer 

import cdktf

cdktf.TerraformHclModuleConfig(
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]] = None,
  skip_asset_creation_from_local_modules: bool = None,
  source: str,
  version: str = None,
  variables: typing.Mapping[typing.Any] = None
)

Properties

NameTypeDescription
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
providerstyping.List[typing.Union[TerraformProvider, TerraformModuleProvider]]No description.
skip_asset_creation_from_local_modulesboolNo description.
sourcestrNo description.
versionstrNo description.
variablestyping.Mapping[typing.Any]No description.
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
providersOptional 
providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]]
skip_asset_creation_from_local_modulesOptional 
skip_asset_creation_from_local_modules: bool
  • Type: bool
sourceRequired 
source: str
  • Type: str
versionOptional 
version: str
  • Type: str
variablesOptional 
variables: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]

TerraformMetaArguments

Initializer 

import cdktf

cdktf.TerraformMetaArguments(
  connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection] = None,
  count: typing.Union[typing.Union[int, float], TerraformCount] = None,
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  lifecycle: TerraformResourceLifecycle = None,
  provider: TerraformProvider = None,
  provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]] = None
)

Properties

NameTypeDescription
connectiontyping.Union[SSHProvisionerConnection, WinrmProvisionerConnection]No description.
counttyping.Union[typing.Union[int, float], TerraformCount]No description.
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
lifecycleTerraformResourceLifecycleNo description.
providerTerraformProviderNo description.
provisionerstyping.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]No description.
connectionOptional 
connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection]
countOptional 
count: typing.Union[typing.Union[int, float], TerraformCount]
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
lifecycleOptional 
lifecycle: TerraformResourceLifecycle
providerOptional 
provider: TerraformProvider
provisionersOptional 
provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]

TerraformModuleConfig

Initializer 

import cdktf

cdktf.TerraformModuleConfig(
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]] = None,
  skip_asset_creation_from_local_modules: bool = None,
  source: str,
  version: str = None
)

Properties

NameTypeDescription
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
providerstyping.List[typing.Union[TerraformProvider, TerraformModuleProvider]]No description.
skip_asset_creation_from_local_modulesboolNo description.
sourcestrNo description.
versionstrNo description.
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
providersOptional 
providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]]
skip_asset_creation_from_local_modulesOptional 
skip_asset_creation_from_local_modules: bool
  • Type: bool
sourceRequired 
source: str
  • Type: str
versionOptional 
version: str
  • Type: str

TerraformModuleProvider

Initializer 

import cdktf

cdktf.TerraformModuleProvider(
  module_alias: str,
  provider: TerraformProvider
)

Properties

NameTypeDescription
module_aliasstrNo description.
providerTerraformProviderNo description.
module_aliasRequired 
module_alias: str
  • Type: str
providerRequired 
provider: TerraformProvider

TerraformModuleUserConfig

Initializer 

import cdktf

cdktf.TerraformModuleUserConfig(
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]] = None,
  skip_asset_creation_from_local_modules: bool = None
)

Properties

NameTypeDescription
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
providerstyping.List[typing.Union[TerraformProvider, TerraformModuleProvider]]No description.
skip_asset_creation_from_local_modulesboolNo description.
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
providersOptional 
providers: typing.List[typing.Union[TerraformProvider, TerraformModuleProvider]]
skip_asset_creation_from_local_modulesOptional 
skip_asset_creation_from_local_modules: bool
  • Type: bool

TerraformOutputConfig

Initializer 

import cdktf

cdktf.TerraformOutputConfig(
  value: typing.Any,
  depends_on: typing.List[ITerraformDependable] = None,
  description: str = None,
  precondition: Precondition = None,
  sensitive: bool = None,
  static_id: bool = None
)

Properties

NameTypeDescription
valuetyping.AnyNo description.
depends_ontyping.List[ITerraformDependable]No description.
descriptionstrNo description.
preconditionPreconditionNo description.
sensitiveboolNo description.
static_idboolIf set to true the synthesized Terraform Output will be named after the id passed to the constructor instead of the default (TerraformOutput.friendlyUniqueId).
valueRequired 
value: typing.Any
  • Type: typing.Any
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
descriptionOptional 
description: str
  • Type: str
preconditionOptional 
precondition: Precondition
sensitiveOptional 
sensitive: bool
  • Type: bool
static_idOptional 
static_id: bool
  • Type: bool
  • Default: false

If set to true the synthesized Terraform Output will be named after the id passed to the constructor instead of the default (TerraformOutput.friendlyUniqueId).

TerraformProviderConfig

Initializer 

import cdktf

cdktf.TerraformProviderConfig(
  terraform_resource_type: str,
  terraform_generator_metadata: TerraformProviderGeneratorMetadata = None,
  terraform_provider_source: str = None
)

Properties

NameTypeDescription
terraform_resource_typestrNo description.
terraform_generator_metadataTerraformProviderGeneratorMetadataNo description.
terraform_provider_sourcestrNo description.
terraform_resource_typeRequired 
terraform_resource_type: str
  • Type: str
terraform_generator_metadataOptional 
terraform_generator_metadata: TerraformProviderGeneratorMetadata
terraform_provider_sourceOptional 
terraform_provider_source: str
  • Type: str

TerraformProviderGeneratorMetadata

Initializer 

import cdktf

cdktf.TerraformProviderGeneratorMetadata(
  provider_name: str,
  provider_version: str = None,
  provider_version_constraint: str = None
)

Properties

NameTypeDescription
provider_namestrNo description.
provider_versionstrNo description.
provider_version_constraintstrNo description.
provider_nameRequired 
provider_name: str
  • Type: str
provider_versionOptional 
provider_version: str
  • Type: str
provider_version_constraintOptional 
provider_version_constraint: str
  • Type: str

TerraformResourceConfig

Initializer 

import cdktf

cdktf.TerraformResourceConfig(
  connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection] = None,
  count: typing.Union[typing.Union[int, float], TerraformCount] = None,
  depends_on: typing.List[ITerraformDependable] = None,
  for_each: ITerraformIterator = None,
  lifecycle: TerraformResourceLifecycle = None,
  provider: TerraformProvider = None,
  provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]] = None,
  terraform_resource_type: str,
  terraform_generator_metadata: TerraformProviderGeneratorMetadata = None
)

Properties

NameTypeDescription
connectiontyping.Union[SSHProvisionerConnection, WinrmProvisionerConnection]No description.
counttyping.Union[typing.Union[int, float], TerraformCount]No description.
depends_ontyping.List[ITerraformDependable]No description.
for_eachITerraformIteratorNo description.
lifecycleTerraformResourceLifecycleNo description.
providerTerraformProviderNo description.
provisionerstyping.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]No description.
terraform_resource_typestrNo description.
terraform_generator_metadataTerraformProviderGeneratorMetadataNo description.
connectionOptional 
connection: typing.Union[SSHProvisionerConnection, WinrmProvisionerConnection]
countOptional 
count: typing.Union[typing.Union[int, float], TerraformCount]
depends_onOptional 
depends_on: typing.List[ITerraformDependable]
for_eachOptional 
for_each: ITerraformIterator
lifecycleOptional 
lifecycle: TerraformResourceLifecycle
providerOptional 
provider: TerraformProvider
provisionersOptional 
provisioners: typing.List[typing.Union[FileProvisioner, LocalExecProvisioner, RemoteExecProvisioner]]
terraform_resource_typeRequired 
terraform_resource_type: str
  • Type: str
terraform_generator_metadataOptional 
terraform_generator_metadata: TerraformProviderGeneratorMetadata

TerraformResourceImport

Initializer 

import cdktf

cdktf.TerraformResourceImport(
  id: str,
  provider: TerraformProvider = None
)

Properties

NameTypeDescription
idstrNo description.
providerTerraformProviderNo description.
idRequired 
id: str
  • Type: str
providerOptional 
provider: TerraformProvider

TerraformResourceLifecycle

Initializer 

import cdktf

cdktf.TerraformResourceLifecycle(
  create_before_destroy: bool = None,
  ignore_changes: typing.Union[typing.List[str], str] = None,
  postcondition: typing.List[Postcondition] = None,
  precondition: typing.List[Precondition] = None,
  prevent_destroy: bool = None,
  replace_triggered_by: typing.List[typing.Union[str, ITerraformDependable]] = None
)

Properties

NameTypeDescription
create_before_destroyboolNo description.
ignore_changestyping.Union[typing.List[str], str]No description.
postconditiontyping.List[Postcondition]No description.
preconditiontyping.List[Precondition]No description.
prevent_destroyboolNo description.
replace_triggered_bytyping.List[typing.Union[str, ITerraformDependable]]No description.
create_before_destroyOptional 
create_before_destroy: bool
  • Type: bool
ignore_changesOptional 
ignore_changes: typing.Union[typing.List[str], str]
  • Type: typing.Union[typing.List[str], str]
postconditionOptional 
postcondition: typing.List[Postcondition]
preconditionOptional 
precondition: typing.List[Precondition]
prevent_destroyOptional 
prevent_destroy: bool
  • Type: bool
replace_triggered_byOptional 
replace_triggered_by: typing.List[typing.Union[str, ITerraformDependable]]

TerraformResourceMoveById

Initializer 

import cdktf

cdktf.TerraformResourceMoveById(
  from: str,
  to: str
)

Properties

NameTypeDescription
fromstrNo description.
tostrNo description.
fromRequired 
from: str
  • Type: str
toRequired 
to: str
  • Type: str

TerraformResourceMoveByTarget

Initializer 

import cdktf

cdktf.TerraformResourceMoveByTarget(
  move_target: str,
  index: typing.Union[str, typing.Union[int, float]] = None
)

Properties

NameTypeDescription
move_targetstrNo description.
indextyping.Union[str, typing.Union[int, float]]No description.
move_targetRequired 
move_target: str
  • Type: str
indexOptional 
index: typing.Union[str, typing.Union[int, float]]
  • Type: typing.Union[str, typing.Union[int, float]]

TerraformStackMetadata

Initializer 

import cdktf

cdktf.TerraformStackMetadata(
  backend: str,
  stack_name: str,
  version: str,
  cloud: str = None
)

Properties

NameTypeDescription
backendstrNo description.
stack_namestrNo description.
versionstrNo description.
cloudstrNo description.
backendRequired 
backend: str
  • Type: str
stack_nameRequired 
stack_name: str
  • Type: str
versionRequired 
version: str
  • Type: str
cloudOptional 
cloud: str
  • Type: str

TerraformVariableConfig

Initializer 

import cdktf

cdktf.TerraformVariableConfig(
  default: typing.Any = None,
  description: str = None,
  nullable: bool = None,
  sensitive: bool = None,
  type: str = None,
  validation: typing.List[TerraformVariableValidationConfig] = None
)

Properties

NameTypeDescription
defaulttyping.AnyNo description.
descriptionstrNo description.
nullableboolNo description.
sensitiveboolNo description.
typestrThe type argument in a variable block allows you to restrict the type of value that will be accepted as the value for a variable.
validationtyping.List[TerraformVariableValidationConfig]Specify arbitrary custom validation rules for a particular variable using a validation block nested within the corresponding variable block.
defaultOptional 
default: typing.Any
  • Type: typing.Any
descriptionOptional 
description: str
  • Type: str
nullableOptional 
nullable: bool
  • Type: bool
sensitiveOptional 
sensitive: bool
  • Type: bool
typeOptional 
type: str
  • Type: str

The type argument in a variable block allows you to restrict the type of value that will be accepted as the value for a variable.

If no type constraint is set then a value of any type is accepted.

While type constraints are optional, we recommend specifying them; they serve as easy reminders for users of the module, and allow Terraform to return a helpful error message if the wrong type is used.

Type constraints are created from a mixture of type keywords and type constructors. The supported type keywords are:

  • string
  • number
  • bool

The type constructors allow you to specify complex types such as collections:

  • list(< TYPE >)
  • set(< TYPE >)
  • map(< TYPE >)
  • object({< ATTR NAME > = < TYPE >, ... })
  • tuple([< TYPE >, ...])

The keyword any may be used to indicate that any type is acceptable. For more information on the meaning and behavior of these different types, as well as detailed information about automatic conversion of complex types, refer to {@link https://developer.hashicorp.com/terraform/language/expressions/type-constraints Type Constraints}.

If both the type and default arguments are specified, the given default value must be convertible to the specified type.

validationOptional 
validation: typing.List[TerraformVariableValidationConfig]

Specify arbitrary custom validation rules for a particular variable using a validation block nested within the corresponding variable block.

TerraformVariableValidationConfig

Add one or more validation blocks within the variable block to specify custom conditions.

Initializer 

import cdktf

cdktf.TerraformVariableValidationConfig(
  condition: typing.Any,
  error_message: str
)

Properties

NameTypeDescription
conditiontyping.AnyThis is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.
error_messagestrThis contains the text that Terraform will include as part of error messages when it detects an unmet condition.
conditionRequired 
condition: typing.Any
  • Type: typing.Any

This is a boolean expression that should return true if the intended assumption or guarantee is fulfilled or false if it does not.

error_messageRequired 
error_message: str
  • Type: str

This contains the text that Terraform will include as part of error messages when it detects an unmet condition.

TestingAppConfig

Initializer 

import cdktf

cdktf.TestingAppConfig(
  context: typing.Mapping[typing.Any] = None,
  enable_future_flags: bool = None,
  fake_cdktf_json_path: bool = None,
  outdir: str = None,
  stack_traces: bool = None,
  stub_version: bool = None
)

Properties

NameTypeDescription
contexttyping.Mapping[typing.Any]No description.
enable_future_flagsboolNo description.
fake_cdktf_json_pathboolNo description.
outdirstrNo description.
stack_tracesboolNo description.
stub_versionboolNo description.
contextOptional 
context: typing.Mapping[typing.Any]
  • Type: typing.Mapping[typing.Any]
enable_future_flagsOptional 
enable_future_flags: bool
  • Type: bool
fake_cdktf_json_pathOptional 
fake_cdktf_json_path: bool
  • Type: bool
outdirOptional 
outdir: str
  • Type: str
stack_tracesOptional 
stack_traces: bool
  • Type: bool
stub_versionOptional 
stub_version: bool
  • Type: bool

WinrmProvisionerConnection

Most provisioners require access to the remote resource via SSH or WinRM and expect a nested connection block with details about how to connect.

See {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/connection connection}

Initializer 

import cdktf

cdktf.WinrmProvisionerConnection(
  host: str,
  type: str,
  cacert: str = None,
  https: bool = None,
  insecure: bool = None,
  password: str = None,
  port: typing.Union[int, float] = None,
  script_path: str = None,
  timeout: str = None,
  use_ntlm: bool = None,
  user: str = None
)

Properties

NameTypeDescription
hoststrThe address of the resource to connect to.
typestrThe connection type.
cacertstrThe CA certificate to validate against.
httpsboolSet to true to connect using HTTPS instead of HTTP.
insecureboolSet to true to skip validating the HTTPS certificate chain.
passwordstrThe password to use for the connection.
porttyping.Union[int, float]The port to connect to.
script_pathstrThe path used to copy scripts meant for remote execution.
timeoutstrThe timeout to wait for the connection to become available.
use_ntlmboolSet to true to use NTLM authentication rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest.
userstrThe user to use for the connection.
hostRequired 
host: str
  • Type: str

The address of the resource to connect to.

typeRequired 
type: str
  • Type: str

The connection type.

Valid values are "ssh" and "winrm". Provisioners typically assume that the remote system runs Microsoft Windows when using WinRM. Behaviors based on the SSH target_platform will force Windows-specific behavior for WinRM, unless otherwise specified.

cacertOptional 
cacert: str
  • Type: str

The CA certificate to validate against.

httpsOptional 
https: bool
  • Type: bool

Set to true to connect using HTTPS instead of HTTP.

insecureOptional 
insecure: bool
  • Type: bool

Set to true to skip validating the HTTPS certificate chain.

passwordOptional 
password: str
  • Type: str

The password to use for the connection.

portOptional 
port: typing.Union[int, float]
  • Type: typing.Union[int, float]
  • Default: 22

The port to connect to.

script_pathOptional 
script_path: str
  • Type: str

The path used to copy scripts meant for remote execution.

Refer to {@link https://developer.hashicorp.com/terraform/language/resources/provisioners/connection#how-provisioners-execute-remote-scripts How Provisioners Execute Remote Scripts below for more details}

timeoutOptional 
timeout: str
  • Type: str
  • Default: 5m

The timeout to wait for the connection to become available.

Should be provided as a string (e.g., "30s" or "5m".)

use_ntlmOptional 
use_ntlm: bool
  • Type: bool

Set to true to use NTLM authentication rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest.

Refer to Authentication for Remote Connections in the Windows App Development documentation for more details.

userOptional 
user: str
  • Type: str
  • Default: root

The user to use for the connection.

Edit this page on GitHub