Skip to content
This repository has been archived by the owner on Sep 25, 2024. It is now read-only.

Terraform provider that holds secrets in its state

License

Notifications You must be signed in to change notification settings

rossumai/terraform-provider-secret

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform secret Provider 💜

The secret provider has one mission: store secrets in the Terraform state.

Please be careful about your security stance before adopting this!

The main goal of this provider is that a lot of time, terraform contains secrets in it's state file anyways. Instead of putting them in the repo and the loading them with "${file("./secret")}" why not import them directly into the state file?

When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.

This is a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.

Requirements

  • Terraform 0.12.x
  • Go 1.11 (to build the provider plugin)

Installation

Install via go get

  1. Follow these instructions to setup a Golang development environment.
  2. Use go get to pull down this repository and compile the binary:
go get -u -v github.com/numtide/terraform-provider-secret

The binary will be placed in $GOPATH/bin or $HOME/go/bin if $GOPATH is not set.

Install via Nix

If you are lucky enough to use Nix, it's already part of the full terraform distribution:

nix-env -iA nixpkgs.terraform-full

Compile from source

Clone the repository:

$ git clone [email protected]:numtide/terraform-provider-secret

Enter the provider directory and build the provider

$ cd terraform-provider-secret
$ GO111MODULE=on go build

Usage

Provider installation

  • Copy the terraform-provider-secret binary to ~/.terraform.d/plugins (recommended) or any location specified by Terraform documentation.

  • Add the line provider "secret" {} line to main.tf To prevent warnings, you may optionally add a version lock to the provider entry in the form of provider "secret" { version = "~> X.Y"} where X.Y is the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add _vX.Y to the provider binary unless you directly use release from Github.

  • Run terraform init.

Using secret_resource

Schema:

  • value, string: Returns the value of the secret

Example

Here we declare a new resource that will contain the secret.

resource "secret_resource" "datadog_api_key" {
  lifecycle {
    # avoid accidentally loosing the secret
    prevent_destroy = true
  }
}

To populate the secret, run

terraform import secret_resource.datadog_api_key TOKEN

where TOKEN is the value of the token.

Or to import from a file:

terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"

Once imported, the secret can be accessed using secret_resource.datadog_api_key.value

Rotating secrets

terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN

Importing binary secrets

The secret values can only contain UTF-8 encoded strings. If the secret is a binary key, a workaround it to encode it first as base64, then use the terraform base64decode() function on usage.

Eg:

terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"

Then on usage:

resource "other_resource" "xxx" {
  secret = base64decode(secret_resource.my_binary_key.value)
}

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...

In order to test the provider, you can simply run make test.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

$ make testacc

Related projects

License

This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.

Sponsors

This work has been sponsored by Digital Asset and Tweag I/O.

Digital Asset Tweag I/O

This repository is maintained by Numtide

Have questions? Need help? Tweet at @numtide.

About

Terraform provider that holds secrets in its state

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 100.0%