elastic · fin09pcap · Jun 4, 2025 · Jun 10, 2025 · Jul 18, 2025 · Jul 18, 2025
@@ -29,10 +29,11 @@ import (
 )
 
 var (
-	terraformerAgentInputSpec        string
-	terraformerAgentOutputPath       string
-	terraformerAgentDisableTokenWrap bool
-	terraformerAgentEnvironment      string
+	terraformerAgentInputSpec                string
+	terraformerAgentOutputPath               string
+	terraformerAgentDisableTokenWrap         bool
+	terraformerAgentDisableEnvironmentSuffix bool
+	terraformerAgentEnvironment              string
 )
 
 // -----------------------------------------------------------------------------
@@ -49,6 +50,7 @@ var terraformerAgentCmd = func() *cobra.Command {
 	cmd.Flags().StringVar(&terraformerAgentOutputPath, "out", "-", "Output file ('-' for stdout or a filename)")
 	cmd.Flags().StringVar(&terraformerAgentEnvironment, "env", "production", "Target environment")
 	cmd.Flags().BoolVar(&terraformerAgentDisableTokenWrap, "no-token-wrap", false, "Disable token wrapping")
+	cmd.Flags().BoolVar(&terraformerAgentDisableEnvironmentSuffix, "no-env-suffix", false, "Disable environment suffix in role and policy names")
 
 	return cmd
 }
@@ -75,7 +77,7 @@ func runTerraformerAgent(cmd *cobra.Command, _ []string) {
 	}
 
 	// Run terraformer
-	if err := terraformer.Run(ctx, reader, terraformerAgentEnvironment, terraformerAgentDisableTokenWrap, terraformer.AgentTemplate, writer); err != nil {
+	if err := terraformer.Run(ctx, reader, terraformerAgentEnvironment, terraformerAgentDisableTokenWrap, terraformerAgentDisableEnvironmentSuffix, terraformer.AgentTemplate, writer); err != nil {
 		log.For(ctx).Fatal("unable to process specification", zap.Error(err), zap.String("path", terraformerAgentInputSpec))
 	}
 }
@@ -0,0 +1,83 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package cmd
+
+import (
+	"io"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap"
+
+	"github.com/elastic/harp-plugins/terraformer/pkg/terraformer"
+	"github.com/elastic/harp/pkg/sdk/cmdutil"
+	"github.com/elastic/harp/pkg/sdk/log"
+)
+
+var (
+	terraformerApproleInputSpec                string
+	terraformerApproleOutputPath               string
+	terraformerApproleDisableTokenWrap         bool
+	terraformerApproleDisableEnvironmentSuffix bool
+	terraformerApproleEnvironment              string
+)
+
+// -----------------------------------------------------------------------------
+
+var terraformerApproleCmd = func() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "approle",
+		Short: "policy and approle with approle engine",
+		Run:   runTerraformerApprole,
+	}
+
+	// Parameters
+	cmd.Flags().StringVar(&terraformerApproleInputSpec, "spec", "-", "AppRole specification path ('-' for stdin or filename)")
+	cmd.Flags().StringVar(&terraformerApproleOutputPath, "out", "-", "Output file ('-' for stdout or a filename)")
+	cmd.Flags().StringVar(&terraformerApproleEnvironment, "env", "production", "Target environment")
+	cmd.Flags().BoolVar(&terraformerApproleDisableTokenWrap, "no-token-wrap", false, "Disable token wrapping")
+	cmd.Flags().BoolVar(&terraformerApproleDisableEnvironmentSuffix, "no-env-suffix", false, "Disable environment suffix in role and policy names")
+
+	return cmd
+}
+
+func runTerraformerApprole(cmd *cobra.Command, _ []string) {
+	ctx, cancel := cmdutil.Context(cmd.Context(), "harp-terraformer-approle", conf.Debug.Enable, conf.Instrumentation.Logs.Level)
+	defer cancel()
+
+	var (
+		reader io.Reader
+		err    error
+	)
+
+	// Create input reader
+	reader, err = cmdutil.Reader(terraformerApproleInputSpec)
+	if err != nil {
+		log.For(ctx).Fatal("unable to open input specification", zap.Error(err), zap.String("path", terraformerApproleInputSpec))
+	}
+
+	// Create output writer
+	writer, err := cmdutil.Writer(terraformerApproleOutputPath)
+	if err != nil {
+		log.For(ctx).Fatal("unable to create output writer", zap.Error(err), zap.String("path", terraformerApproleOutputPath))
+	}
+
+	// Run terraformer
+	if err := terraformer.Run(ctx, reader, terraformerApproleEnvironment, terraformerApproleDisableTokenWrap, terraformerApproleDisableEnvironmentSuffix, terraformer.ApproleTemplate, writer); err != nil {
+		log.For(ctx).Fatal("unable to process specification", zap.Error(err), zap.String("path", terraformerApproleInputSpec))
+	}
+}
@@ -29,9 +29,10 @@ import (
 )
 
 var (
-	terraformerPolicyInputSpec   string
-	terraformerPolicyOutputPath  string
-	terraformerPolicyEnvironment string
+	terraformerPolicyInputSpec                string
+	terraformerPolicyOutputPath               string
+	terraformerPolicyEnvironment              string
+	terraformerPolicyDisableEnvironmentSuffix bool
 )
 
 // -----------------------------------------------------------------------------
@@ -47,6 +48,7 @@ var terraformerPolicyCmd = func() *cobra.Command {
 	cmd.Flags().StringVar(&terraformerPolicyInputSpec, "spec", "-", "AppRole specification path ('-' for stdin or filename)")
 	cmd.Flags().StringVar(&terraformerPolicyOutputPath, "out", "-", "Output file ('-' for stdout or a filename)")
 	cmd.Flags().StringVar(&terraformerPolicyEnvironment, "env", "production", "Target environment")
+	cmd.Flags().BoolVar(&terraformerPolicyDisableEnvironmentSuffix, "no-env-suffix", false, "Disable environment suffix in policy names")
 
 	return cmd
 }
@@ -73,7 +75,7 @@ func runTerraformerPolicy(cmd *cobra.Command, _ []string) {
 	}
 
 	// Run terraformer
-	if err := terraformer.Run(ctx, reader, terraformerPolicyEnvironment, true, terraformer.PolicyTemplate, writer); err != nil {
+	if err := terraformer.Run(ctx, reader, terraformerPolicyEnvironment, true, terraformerPolicyDisableEnvironmentSuffix, terraformer.PolicyTemplate, writer); err != nil {
 		log.For(ctx).Fatal("unable to process specification", zap.Error(err), zap.String("path", terraformerPolicyInputSpec))
 	}
 }
@@ -57,6 +57,7 @@ var mainCmd = func() *cobra.Command {
 
 	// Add subcommands
 	cmd.AddCommand(terraformerAgentCmd())
+	cmd.AddCommand(terraformerApproleCmd())
 	cmd.AddCommand(terraformerPolicyCmd())
 	cmd.AddCommand(terraformerServiceCmd())
 

@@ -29,9 +29,10 @@ import (
 )
 
 var (
-	terraformerServiceInputSpec   string
-	terraformerServiceOutputPath  string
-	terraformerServiceEnvironment string
+	terraformerServiceInputSpec                string
+	terraformerServiceOutputPath               string
+	terraformerServiceEnvironment              string
+	terraformerServiceDisableEnvironmentSuffix bool
 )
 
 // -----------------------------------------------------------------------------
@@ -47,6 +48,7 @@ var terraformerServiceCmd = func() *cobra.Command {
 	cmd.Flags().StringVar(&terraformerServiceInputSpec, "spec", "-", "AppRole specification path ('-' for stdin or filename)")
 	cmd.Flags().StringVar(&terraformerServiceOutputPath, "out", "-", "Output file ('-' for stdout or a filename)")
 	cmd.Flags().StringVar(&terraformerServiceEnvironment, "env", "production", "Target environment")
+	cmd.Flags().BoolVar(&terraformerServiceDisableEnvironmentSuffix, "no-env-suffix", false, "Disable environment suffix in role and policy names")
 
 	return cmd
 }
@@ -73,7 +75,7 @@ func runTerraformerService(cmd *cobra.Command, _ []string) {
 	}
 
 	// Run terraformer
-	if err := terraformer.Run(ctx, reader, terraformerServiceEnvironment, true, terraformer.ServiceTemplate, writer); err != nil {
+	if err := terraformer.Run(ctx, reader, terraformerServiceEnvironment, true, terraformerServiceDisableEnvironmentSuffix, terraformer.ServiceTemplate, writer); err != nil {
 		log.For(ctx).Fatal("unable to process specification", zap.Error(err), zap.String("path", terraformerServiceInputSpec))
 	}
 }
@@ -129,21 +129,28 @@ func pathCompiler(ring csov1.Ring, prefix []string, suffixFunc func() []*terrafo
 	return nil
 }
 
-func compile(env string, def *terraformerv1.AppRoleDefinition, specHash string, noTokenWrap bool) (*tmplModel, error) {
+func compile(env string, def *terraformerv1.AppRoleDefinition, specHash string, noTokenWrap, noEnvironmentSuffix bool) (*tmplModel, error) {
 	// Check arguments
 	if err := validate(def); err != nil {
 		return nil, err
 	}
 
+	// Check environment and suffix removal
+	objectName := slug.Make(fmt.Sprintf("%s %s", def.Meta.Name, env))
+	if noEnvironmentSuffix {
+		objectName = slug.Make(def.Meta.Name)
+	}
+
 	res := &tmplModel{
-		Date:             time.Now().UTC().Format(time.RFC3339),
-		SpecHash:         specHash,
-		Meta:             def.Meta,
-		Environment:      slug.Make(env),
-		RoleName:         slug.Make(def.Meta.Name),
-		ObjectName:       slug.Make(fmt.Sprintf("%s %s", def.Meta.Name, env)),
-		Namespaces:       map[string][]tmpSecretModel{},
-		DisableTokenWrap: noTokenWrap,
+		Date:                     time.Now().UTC().Format(time.RFC3339),
+		SpecHash:                 specHash,
+		Meta:                     def.Meta,
+		Environment:              slug.Make(env),
+		RoleName:                 slug.Make(def.Meta.Name),
+		ObjectName:               objectName,
+		Namespaces:               map[string][]tmpSecretModel{},
+		DisableTokenWrap:         noTokenWrap,
+		DisableEnvironmentSuffix: noEnvironmentSuffix,
 	}
 
 	if def.Spec.Namespaces != nil {