Terraform Provider Actions 实施指南 - HashiCorp 实验性功能详解

provider-actions by hashicorp/agent-skills

631 周安装量

481 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/hashicorp/agent-skills --skill provider-actions

自动化云服务开发运维

🇨🇳中文介绍

Terraform Provider Actions 实施指南

概述

Terraform Actions 允许在 Terraform 生命周期中执行命令式操作。Actions 是实验性功能，支持在特定的生命周期事件（创建、更新、销毁之前/之后）执行 Provider 操作。

参考文档：

文件结构

Actions 遵循标准的服务包结构：

internal/service/<service>/
├── <action_name>_action.go       # Action 实现
├── <action_name>_action_test.go  # Action 测试
└── service_package_gen.go        # 自动生成的服务注册

文档结构：

website/docs/actions/
└── <service>_<action_name>.html.markdown  # 面向用户的文档

变更日志条目：

.changelog/
└── <pr_number_or_description>.txt  # 发布说明条目

Action Schema 定义

Actions 使用 Terraform Plugin Framework，遵循标准的 Schema 模式：

func (a *actionType) Schema(ctx context.Context, req action.SchemaRequest, resp *action.SchemaResponse) {
    resp.Schema = schema.Schema{
        Attributes: map[string]schema.Attribute{
            // 必需的配置参数
            "resource_id": schema.StringAttribute{
                Required:    true,
                Description: "要操作的资源 ID",
            },
            // 带有默认值的可选参数
            "timeout": schema.Int64Attribute{
                Optional:    true,
                Description: "操作超时时间（秒）",
                Default:     int64default.StaticInt64(1800),
                Computed:    true,
            },
        },
    }
}

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

常见的 Schema 问题

请特别注意 Schema 的定义 - 初稿后常见的问题：

类型不匹配
- 在模型结构体中使用 types.String 而不是 fwtypes.String
- 在 Schema 中使用 types.StringType 而不是 fwtypes.StringType
- 混合使用 framework 类型和 plugin-framework 类型

List/Map 元素类型

// 错误 - 缺少 ElementType
"items": schema.ListAttribute{
    Optional: true,
}

// 正确
"items": schema.ListAttribute{
    Optional:    true,
    ElementType: fwtypes.StringType,
}

Computed 与 Optional
- 具有默认值的属性必须同时设置 Optional: true 和 Computed: true
- 除非有默认值，否则不要将 Action 输入标记为 Computed

验证器导入

// 确保正确导入
"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"

Region/Provider 属性
- 当框架提供时，使用框架提供的 region 处理方式
- 如果框架已处理，不要在 Schema 中手动定义 Provider 特定的配置
嵌套属性
- 对于复杂结构，使用适当的嵌套对象类型
- 确保嵌套类型已正确定义

提交前，请验证：

所有属性都有描述
List/Map 属性已定义 ElementType
验证器已正确导入和应用
模型结构体使用了正确的框架类型
具有默认值的可选属性已标记为 Computed
代码编译无类型错误
运行 go build 以捕获类型不匹配

Action Invoke 方法

Invoke 方法包含 Action 的逻辑：

func (a *actionType) Invoke(ctx context.Context, req action.InvokeRequest, resp *action.InvokeResponse) {
    var data actionModel
    resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)

    // 创建 Provider 客户端
    conn := a.Meta().Client(ctx)

    // 为长时间运行的操作提供进度更新
    resp.Progress.Set(ctx, "开始操作...")

    // 实现带有错误处理的 Action 逻辑
    // 使用 context 进行超时管理
    // 如果是异步操作，则轮询完成状态

    resp.Progress.Set(ctx, "操作完成")
}

使用 resp.SendProgress(action.InvokeProgressEvent{...}) 进行实时更新
在长时间操作期间提供有意义的进度消息
在关键里程碑处更新进度
对于长时间操作，包含已用时间

始终包含可配置的超时参数（默认值：1800 秒）
对 API 调用使用 context.WithTimeout()
优雅地处理超时错误
验证超时范围（通常为 60-7200 秒）

使用 resp.Diagnostics.AddError() 添加诊断信息
提供带有上下文的清晰错误消息
在相关时包含 API 错误详情
将 Provider 错误类型映射为用户友好的消息
记录所有可能的错误情况

错误处理示例：

// 处理特定错误
var notFound *types.ResourceNotFoundException
if errors.As(err, &notFound) {
    resp.Diagnostics.AddError(
        "资源未找到",
        fmt.Sprintf("未找到资源 %s", resourceID),
    )
    return
}

// 通用错误处理
resp.Diagnostics.AddError(
    "操作失败",
    fmt.Sprintf("无法为 %s 完成操作：%s", resourceID, err),
)

4. Provider SDK 集成

使用来自 a.Meta().<Service>Client(ctx) 的 Provider SDK 客户端
处理列表操作的分页
为暂时性故障实现重试逻辑
使用适当的错误类型

使用框架验证器进行输入验证
在操作前验证资源是否存在
检查冲突的参数
根据 Provider 命名要求进行验证

对于需要等待完成的操作：

result, err := wait.WaitForStatus(ctx,
    func(ctx context.Context) (wait.FetchResult[*ResourceType], error) {
        // 获取当前状态
        resource, err := findResource(ctx, conn, id)
        if err != nil {
            return wait.FetchResult[*ResourceType]{}, err
        }
        return wait.FetchResult[*ResourceType]{
            Status: wait.Status(resource.Status),
            Value:  resource,
        }, nil
    },
    wait.Options[*ResourceType]{
        Timeout:            timeout,
        Interval:           wait.FixedInterval(5 * time.Second),
        SuccessStates:      []wait.Status{"AVAILABLE", "COMPLETED"},
        TransitionalStates: []wait.Status{"CREATING", "PENDING"},
        ProgressInterval:   30 * time.Second,
        ProgressSink: func(fr wait.FetchResult[any], meta wait.ProgressMeta) {
            resp.SendProgress(action.InvokeProgressEvent{
                Message: fmt.Sprintf("状态：%s，已用时间：%v", fr.Status, meta.Elapsed.Round(time.Second)),
            })
        },
    },
)

常见的 Action 模式

以可配置的批次处理项目
报告每个批次的进度
优雅地处理部分失败
支持前缀/过滤器参数

提交命令并获取操作 ID
轮询完成状态
检索并报告输出
处理轮询期间的超时
在执行前验证资源是否存在

使用参数调用服务
等待完成（如果是同步的）
返回输出/结果
处理服务特定的错误

验证当前状态
应用状态变更
轮询目标状态
处理过渡状态

使用配置提交作业
获取作业 ID
可选择等待完成
报告作业状态

Actions 通过 Terraform 配置中的 action_trigger 生命周期块调用：

action "provider_service_action" "name" {
  config {
    parameter = value
  }
}

resource "terraform_data" "trigger" {
  lifecycle {
    action_trigger {
      events  = [after_create]
      actions = [action.provider_service_action.name]
    }
  }
}

可用的触发器事件

Terraform 1.14.0 支持的事件：

before_create - 资源创建之前
after_create - 资源创建之后
before_update - 资源更新之前
after_update - 资源更新之后

Terraform 1.14.0 不支持：

before_destroy - 不可用（将导致验证错误）
after_destroy - 不可用（将导致验证错误）

使用有效参数测试 Action 调用
测试超时场景
测试错误条件
验证 Provider 状态变更
测试进度报告
使用自定义参数测试
测试基于触发器的调用

func TestAccServiceAction_basic(t *testing.T) {
    ctx := acctest.Context(t)

    resource.ParallelTest(t, resource.TestCase{
        PreCheck:                 func() { acctest.PreCheck(ctx, t) },
        ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
        TerraformVersionChecks: []tfversion.TerraformVersionCheck{
            tfversion.SkipBelow(tfversion.Version1_14_0),
        },
        Steps: []resource.TestStep{
            {
                Config: testAccActionConfig_basic(),
                Check: resource.ComposeTestCheckFunc(
                    testAccCheckResourceExists(ctx, "provider_resource.test"),
                ),
            },
        },
    })
}

使用清理函数进行测试清理

添加清理函数以清理测试资源：

func sweepResources(region string) error {
    ctx := context.Background()
    client := /* get client for region */

    input := &service.ListInput{
        // 过滤测试资源
    }

    var sweeperErrs *multierror.Error

    pages := service.NewListPaginator(client, input)
    for pages.HasMorePages() {
        page, err := pages.NextPage(ctx)
        if err != nil {
            sweeperErrs = multierror.Append(sweeperErrs, err)
            continue
        }

        for _, item := range page.Items {
            id := item.Id

            // 跳过非测试资源
            if !strings.HasPrefix(id, "tf-acc-test") {
                continue
            }

            _, err := client.Delete(ctx, &service.DeleteInput{
                Id: id,
            })
            if err != nil {
                sweeperErrs = multierror.Append(sweeperErrs, err)
            }
        }
    }

    return sweeperErrs.ErrorOrNil()
}

服务特定的先决条件

始终检查 Action 成功前必须满足的服务特定先决条件
在 Action 文档和测试配置中记录先决条件

错误模式匹配

Terraform 会包装 Action 错误并添加上下文
使用灵活的正则表达式模式：regexache.MustCompile(\(?s)Error Title.*key phrase)

不适用于 Actions 的测试模式

Actions 在生命周期事件上触发，而不是配置重新应用
Before/After Destroy 测试：Terraform 1.14.0 不支持

编译测试以检查错误：

go test -c -o /dev/null ./internal/service/<service>

运行特定的 Action 测试：

TF_ACC=1 go test ./internal/service/<service> -run TestAccServiceAction_ -v

运行清理以清理测试资源：

TF_ACC=1 go test ./internal/service/<service> -sweep=<region> -v

每个 Action 文档文件必须包含：

前置信息

---
subcategory: "Service Name"
layout: "provider"
page_title: "Provider: provider_service_action"
description: |-
  对该 Action 功能的简要描述。
---

带有警告的页眉
- 关于实验状态的 Beta/Alpha 通知
- 关于潜在意外后果的警告
- 指向 Provider 文档的链接
使用示例
- 基本使用示例
- 包含所有选项的高级用法
- 使用 terraform_data 的基于触发器的示例
- 真实世界的用例示例
参数参考
- 列出所有必需和可选参数
- 包含描述和默认值
- 注明任何验证规则
文档格式化检查
- 提交前运行 terrafmt fmt
- 使用 terrafmt diff 验证

变更日志条目格式

在 .changelog/ 目录中创建变更日志条目：

.changelog/<pr_number_or_description>.txt

action/provider_service_action: Action 的简要描述

提交前检查清单

提交 Action 实现前：

代码编译：go build -o /dev/null .
测试编译：go test -c -o /dev/null ./internal/service/<service>
代码格式化：make fmt
文档格式化：terrafmt fmt website/docs/actions/<action>.html.markdown
已创建变更日志条目
Schema 使用了正确的类型
所有 List/Map 属性都有 ElementType
为长时间操作实现了进度更新
错误消息包含上下文和资源标识符
文档包含多个示例
文档包含先决条件和警告

2026 年 1 月 26 日

🇺🇸English

Terraform Provider Actions Implementation Guide

Overview

Terraform Actions enable imperative operations during the Terraform lifecycle. Actions are experimental features that allow performing provider operations at specific lifecycle events (before/after create, update, destroy).

References:

File Structure

Actions follow the standard service package structure:

internal/service/<service>/
├── <action_name>_action.go       # Action implementation
├── <action_name>_action_test.go  # Action tests
└── service_package_gen.go        # Auto-generated service registration

Documentation structure:

website/docs/actions/
└── <service>_<action_name>.html.markdown  # User-facing documentation

Changelog entry:

.changelog/
└── <pr_number_or_description>.txt  # Release note entry

Action Schema Definition

Actions use the Terraform Plugin Framework with a standard schema pattern:

func (a *actionType) Schema(ctx context.Context, req action.SchemaRequest, resp *action.SchemaResponse) {
    resp.Schema = schema.Schema{
        Attributes: map[string]schema.Attribute{
            // Required configuration parameters
            "resource_id": schema.StringAttribute{
                Required:    true,
                Description: "ID of the resource to operate on",
            },
            // Optional parameters with defaults
            "timeout": schema.Int64Attribute{
                Optional:    true,
                Description: "Operation timeout in seconds",
                Default:     int64default.StaticInt64(1800),
                Computed:    true,
            },
        },
    }
}

Common Schema Issues

Pay special attention to the schema definition - common issues after a first draft:

Type Mismatches
- Using types.String instead of fwtypes.String in model structs
- Using types.StringType instead of fwtypes.StringType in schema
- Mixing framework types with plugin-framework types

List/Map Element Types

// WRONG - missing ElementType
"items": schema.ListAttribute{
    Optional: true,
}

// CORRECT
"items": schema.ListAttribute{
    Optional:    true,
    ElementType: fwtypes.StringType,
}

Computed vs Optional
- Attributes with defaults must be both Optional: true and Computed: true

Schema Validation Checklist

Before submitting, verify:

All attributes have descriptions
List/Map attributes have ElementType defined
Validators are imported and applied correctly
Model struct uses correct framework types
Optional attributes with defaults are marked Computed
Code compiles without type errors
Run go build to catch type mismatches

Action Invoke Method

The Invoke method contains the action logic:

func (a *actionType) Invoke(ctx context.Context, req action.InvokeRequest, resp *action.InvokeResponse) {
    var data actionModel
    resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)

    // Create provider client
    conn := a.Meta().Client(ctx)

    // Progress updates for long-running operations
    resp.Progress.Set(ctx, "Starting operation...")

    // Implement action logic with error handling
    // Use context for timeout management
    // Poll for completion if async operation

    resp.Progress.Set(ctx, "Operation completed")
}

Key Implementation Requirements

1. Progress Reporting

Use resp.SendProgress(action.InvokeProgressEvent{...}) for real-time updates
Provide meaningful progress messages during long operations
Update progress at key milestones
Include elapsed time for long operations

2. Timeout Management

Always include configurable timeout parameter (default: 1800s)
Use context.WithTimeout() for API calls
Handle timeout errors gracefully
Validate timeout ranges (typically 60-7200 seconds)

3. Error Handling

Add diagnostics with resp.Diagnostics.AddError()
Provide clear error messages with context
Include API error details when relevant
Map provider error types to user-friendly messages
Document all possible error cases

Example error handling:

// Handle specific errors
var notFound *types.ResourceNotFoundException
if errors.As(err, &notFound) {
    resp.Diagnostics.AddError(
        "Resource Not Found",
        fmt.Sprintf("Resource %s was not found", resourceID),
    )
    return
}

// Generic error handling
resp.Diagnostics.AddError(
    "Operation Failed",
    fmt.Sprintf("Could not complete operation for %s: %s", resourceID, err),
)

4. Provider SDK Integration

Use provider SDK clients from a.Meta().<Service>Client(ctx)
Handle pagination for list operations
Implement retry logic for transient failures
Use appropriate error types

5. Parameter Validation

Use framework validators for input validation
Validate resource existence before operations
Check for conflicting parameters
Validate against provider naming requirements

6. Polling and Waiting

For operations that require waiting for completion:

result, err := wait.WaitForStatus(ctx,
    func(ctx context.Context) (wait.FetchResult[*ResourceType], error) {
        // Fetch current status
        resource, err := findResource(ctx, conn, id)
        if err != nil {
            return wait.FetchResult[*ResourceType]{}, err
        }
        return wait.FetchResult[*ResourceType]{
            Status: wait.Status(resource.Status),
            Value:  resource,
        }, nil
    },
    wait.Options[*ResourceType]{
        Timeout:            timeout,
        Interval:           wait.FixedInterval(5 * time.Second),
        SuccessStates:      []wait.Status{"AVAILABLE", "COMPLETED"},
        TransitionalStates: []wait.Status{"CREATING", "PENDING"},
        ProgressInterval:   30 * time.Second,
        ProgressSink: func(fr wait.FetchResult[any], meta wait.ProgressMeta) {
            resp.SendProgress(action.InvokeProgressEvent{
                Message: fmt.Sprintf("Status: %s, Elapsed: %v", fr.Status, meta.Elapsed.Round(time.Second)),
            })
        },
    },
)

Common Action Patterns

Batch Operations

Process items in configurable batches
Report progress per batch
Handle partial failures gracefully
Support prefix/filter parameters

Command Execution

Submit command and get operation ID
Poll for completion status
Retrieve and report output
Handle timeout during polling
Validate resources exist before execution

Service Invocation

Invoke service with parameters
Wait for completion (if synchronous)
Return output/results
Handle service-specific errors

Resource State Changes

Validate current state
Apply state change
Poll for target state
Handle transitional states

Async Job Submission

Submit job with configuration
Get job ID
Optionally wait for completion
Report job status

Action Triggers

Actions are invoked via action_trigger lifecycle blocks in Terraform configurations:

action "provider_service_action" "name" {
  config {
    parameter = value
  }
}

resource "terraform_data" "trigger" {
  lifecycle {
    action_trigger {
      events  = [after_create]
      actions = [action.provider_service_action.name]
    }
  }
}

Available Trigger Events

Terraform 1.14.0 Supported Events:

before_create - Before resource creation
after_create - After resource creation
before_update - Before resource update
after_update - After resource update

Not Supported in Terraform 1.14.0:

before_destroy - Not available (will cause validation error)
after_destroy - Not available (will cause validation error)

Testing Actions

Acceptance Tests

Test action invocation with valid parameters
Test timeout scenarios
Test error conditions
Verify provider state changes
Test progress reporting
Test with custom parameters
Test trigger-based invocation

Test Pattern

func TestAccServiceAction_basic(t *testing.T) {
    ctx := acctest.Context(t)

    resource.ParallelTest(t, resource.TestCase{
        PreCheck:                 func() { acctest.PreCheck(ctx, t) },
        ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
        TerraformVersionChecks: []tfversion.TerraformVersionCheck{
            tfversion.SkipBelow(tfversion.Version1_14_0),
        },
        Steps: []resource.TestStep{
            {
                Config: testAccActionConfig_basic(),
                Check: resource.ComposeTestCheckFunc(
                    testAccCheckResourceExists(ctx, "provider_resource.test"),
                ),
            },
        },
    })
}

Test Cleanup with Sweep Functions

Add sweep functions to clean up test resources:

func sweepResources(region string) error {
    ctx := context.Background()
    client := /* get client for region */

    input := &service.ListInput{
        // Filter for test resources
    }

    var sweeperErrs *multierror.Error

    pages := service.NewListPaginator(client, input)
    for pages.HasMorePages() {
        page, err := pages.NextPage(ctx)
        if err != nil {
            sweeperErrs = multierror.Append(sweeperErrs, err)
            continue
        }

        for _, item := range page.Items {
            id := item.Id

            // Skip non-test resources
            if !strings.HasPrefix(id, "tf-acc-test") {
                continue
            }

            _, err := client.Delete(ctx, &service.DeleteInput{
                Id: id,
            })
            if err != nil {
                sweeperErrs = multierror.Append(sweeperErrs, err)
            }
        }
    }

    return sweeperErrs.ErrorOrNil()
}

Testing Best Practices

Service-Specific Prerequisites

Always check for service-specific prerequisites that must be met before actions can succeed
Document prerequisites in action documentation and test configurations

Error Pattern Matching

Terraform wraps action errors with additional context
Use flexible regex patterns: regexache.MustCompile(\(?s)Error Title.*key phrase)

Test Patterns Not Applicable to Actions

Actions trigger on lifecycle events, not config reapplication
Before/After Destroy Tests: Not supported in Terraform 1.14.0

Running Tests

Compile test to check for errors:

go test -c -o /dev/null ./internal/service/<service>

Run specific action tests:

TF_ACC=1 go test ./internal/service/<service> -run TestAccServiceAction_ -v

Run sweep to clean up test resources:

TF_ACC=1 go test ./internal/service/<service> -sweep=<region> -v

Documentation Standards

Each action documentation file must include:

Front Matter

---
subcategory: "Service Name"
layout: "provider"
page_title: "Provider: provider_service_action"
description: |-
  Brief description of what the action does.
---

Header with Warnings
- Beta/Alpha notice about experimental status
- Warning about potential unintended consequences
- Link to provider documentation
Example Usage
- Basic usage example
- Advanced usage with all options
- Trigger-based example with terraform_data
- Real-world use case examples
Argument Reference
- List all required and optional arguments
- Include descriptions and defaults
- Note any validation rules
Documentation Linting
- Run terrafmt fmt before submission
- Verify with

Changelog Entry Format

Create a changelog entry in .changelog/ directory:

.changelog/<pr_number_or_description>.txt

Content format:

action/provider_service_action: Brief description of the action

Pre-Submission Checklist

Before submitting your action implementation:

Code compiles: go build -o /dev/null .
Tests compile: go test -c -o /dev/null ./internal/service/<service>
Code formatted: make fmt
Documentation formatted: terrafmt fmt website/docs/actions/<action>.html.markdown
Changelog entry created
Schema uses correct types
All List/Map attributes have ElementType
Progress updates implemented for long operations
Error messages include context and resource identifiers
Documentation includes multiple examples
Documentation includes prerequisites and warnings

References

Weekly Installs

631

Repository

hashicorp/agent-skills

GitHub Stars

481

First Seen

Jan 26, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

github-copilot515

opencode503

codex496

gemini-cli490

cursor434

amp433

Don't mark action inputs as Computed unless they have defaults

Validator Imports

// Ensure proper imports
"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"

Region/Provider Attribute

Use framework-provided region handling when available
Don't manually define provider-specific config in schema if framework handles it

Nested Attributes

Use appropriate nested object types for complex structures
Ensure nested types are properly defined

Terraform Provider Actions 实施指南 - HashiCorp 实验性功能详解

🇨🇳中文介绍

Terraform Provider Actions 实施指南

概述

文件结构

Action Schema 定义

相关 Skills

常见的 Schema 问题

Schema 验证清单

Action Invoke 方法

关键实施要求

1. 进度报告

2. 超时管理

3. 错误处理