tweag / Terraform Provider Secret
Programming Languages
Projects that are alternatives of or similar to Terraform Provider Secret
secret
Provider 💜
Terraform The secret
provider has one mission: store secrets in the Terraform state.
Please be careful about your security stance before adopting this!
The main goal of this provider is that a lot of time, terraform contains
secrets in it's state file anyways. Instead of putting them in the repo and
the loading them with "${file("./secret")}"
why not import them directly
into the state file?
When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.
This is a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.
Requirements
Installation
go get
Install via - Follow these instructions to setup a Golang development environment.
- Use
go get
to pull down this repository and compile the binary:
go get -u -v github.com/tweag/terraform-provider-secret
The binary will be placed in $GOPATH/bin
or $HOME/go/bin
if $GOPATH
is not set.
Install via Nix
If you are lucky enough to use Nix, it's already part of the full terraform distribution:
nix-env -iA nixpkgs.terraform-full
Compile from source
Clone the repository:
$ git clone [email protected]:tweag/terraform-provider-secret
Enter the provider directory and build the provider
$ cd terraform-provider-secret
$ GO111MODULE=on go build
Usage
Provider installation
-
Copy the
terraform-provider-secret
binary to~/.terraform.d/plugins
(recommended) or any location specified by Terraform documentation. -
Add the line
provider "secret" {}
line tomain.tf
To prevent warnings, you may optionally add a version lock to the provider entry in the form ofprovider "secret" { version = "~> X.Y"}
whereX.Y
is the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add_vX.Y
to the provider binary unless you directly use release from Github. -
Run
terraform init
.
secret_resource
Using Schema:
-
value
, string: Returns the value of the secret
Example
Here we declare a new resource that will contain the secret.
resource "secret_resource" "datadog_api_key" {
lifecycle {
# avoid accidentally loosing the secret
prevent_destroy = true
}
}
To populate the secret, run
terraform import secret_resource.datadog_api_key TOKEN
where TOKEN
is the value of the token.
Or to import from a file:
terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"
Once imported, the secret can be accessed using
secret_resource.datadog_api_key.value
Rotating secrets
terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN
Importing binary secrets
The secret values can only contain UTF-8 encoded strings. If the secret is a
binary key, a workaround it to encode it first as base64, then use the
terraform base64decode()
function on usage.
Eg:
terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"
Then on usage:
resource "other_resource" "xxx" {
secret = base64decode(secret_resource.my_binary_key.value)
}
Developing the Provider
If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin
to your $PATH
.
To compile the provider, run make build
. This will build the provider and put the provider binary in the $GOPATH/bin
directory.
$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...
In order to test the provider, you can simply run make test
.
$ make test
In order to run the full suite of Acceptance tests, run make testacc
.
Note: Acceptance tests create real resources, and often cost money to run.
$ make testacc
Related projects
- https://github.com/carlpett/terraform-provider-sops - allows to decode in-repo secrets on the fly.
License
This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.
Sponsors
This work has been sponsored by Digital Asset and Tweag I/O.
This repository is maintained by Tweag I/O
Have questions? Need help? Tweet at @tweagio.