Terraform is an open source tool for automated resource orchestration. Resource Orchestration Service (ROS) can host Terraform. The development methods and suggestions that are described in this topic are intended for users who are familiar with Terraform and Terraform hosting methods and want to develop Terraform code and use the code in ROS.

Development methods

This topic describes the methods that you can use to develop and test Terraform code. We recommend that you use a method with which you are familiar. You can use the following development methods:

Development suggestions

  • We recommend that you do not declare an Alibaba Cloud (alicloud) provider in the .tf file.

    ROS has a default Alibaba Cloud provider that uses the temporary AccessKey pair or Security Token Service (STS) credential of the current Alibaba Cloud account and the region in which the stack resides. The default provider provides the following benefits:

    • Simplifies development, improves security, and reduces the risk of AccessKey pair leaks.
    • Ensures that resources and stacks are in the same region to allow users to manage and integrate resources and stacks in a centralized manner.
    • Supports features such as price inquiry, system tag passing, stack user tag passing, and stack resource group passing if resources and stacks belong to the same region.
  • We recommend that you save your local code to the file whose name ends with .debug.tf.

    When Terraform code is hosted by ROS, ROS ignores files whose names end with .debug.tf, and does not orchestrate these files. When you test code on your computer, ROS orchestrates files whose names end with .debug.tf. For example, you can compile a file named provider.debug.tf to configure an Alibaba Cloud provider. When you develop code on your computer, the configurations in the file take effect, and resources are created in the China (Hong Kong) region. When you create a stack in ROS, ROS ignores the file and creates resources in the region to which the stack belongs. The provider.debug.tf file contains the following content:

    variable "region" {
      type = string
      default = "cn-hongkong"
    provider "alicloud" {
      region ="${var.region}"
  • We recommend that you specify the provider version.

    Terraform hosting supports multiple provider versions. The provider versions are displayed in ascending order, such as Aliyun::Terraform-v1.0 and Aliyun::Terraform-v2.0. If you specify the provider version, issues that are related to version updates can be prevented and stability is ensured. Sample code:

    terraform {
      required_providers {
        alicloud = {
          source  = "aliyun/alicloud"
          version = "1.140.0"

    For more information about provider versions, see the Provider version column in the Terraform and provider versions that are supported by ROS topic.

  • We recommend that you do not use .tfvars files. You can use ROS parameters to pass variable values.

    ROS parameters provide the following benefits:

    • ROS parameters help reduce the number of times a template is modified. In most cases, you need only to change the parameter values.
    • Variables and ROS parameters have a one-to-one mapping. ROS parameters are displayed in the console. If .tfvars files are used, the variable values may be overwritten. If the variable values are overwritten, the actual values are different from the values that are displayed in the console.

    For more information, see Parameters (Optional).

  • We recommend that you use pseudo parameters to obtain stack information.

    For more information, see Parameters (Optional). For example, you can define the ALIYUN__Region variable in the .tf file and then use var.ALIYUN__Region to access the variable. This way, you can obtain the region to which the stack belongs. Sample code:

    variable "ALIYUN__Region" {
      type = string
      default = "cn-hongkong"
  • We recommend that you refine the variable definitions.

    ROS automatically converts Terraform variables to ROS parameters. To ensure the precision of the conversion result, you can refine the variable definitions. For more information, see Parameters (Optional).

    • If you do not specify the type for a variable, ROS may process the variable as a character string and pass the string to Terraform. Terraform may encounter a variable type error during orchestration.
    • If a parameter contains sensitive information, set sensitive to true for the parameter.
      variable "password" {
        type = string
        sensitive = true
  • We recommend that you use Metadata to manage the display of parameters in the console.
    • Group parameters: For more information, see Metadata and Use Metadata to group parameters.
    • Hide parameters: Use Metadata.ALIYUN::ROS::Interface.Hidden to specify the list of parameters that you want to hide.
        "ROSTemplateFormatVersion": "2015-09-01",
        "Description": "Creates a simple oss bucket",
        "Parameters": {
          "BucketName": {
            "Type": "String",
            "Label": "Bucket Name",
            "Description": {
              "en": "Bucket name",
            "Default": "bucketName1"
        "Metadata": {
          "ALIYUN::ROS::Interface": {
            "Hidden": [
        "Workspace": ...
  • We recommend that you control the input mode of parameters in the console.
    • You can use AssociationProperty and AssociationPropertyMetadata to automatically verify the validity of the ROS parameter values and provide parameter value information. For more information, see AssociationProperty and AssociationPropertyMetadata and Select parameter configurations in the ROS console.
    • In Terraform variables, you can use the description field to describe AssociationProperty and AssociationPropertyMetadata. For more information, see Parameters (Optional). Sample code:
      variable "vpc_id" {
        type = string
        description = <<EOT
          "AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
          "Description": {
            "en": "Please search the ID starts with (vpc-xxx)from console-Virtual Private Cloud",
          "Label": {
            "en": "Existing VPC ID",