The secret
provider has one mission: store secrets in the Terraform state.
Please be careful about your security stance before adopting this!
The main goal of this provider is that a lot of time, terraform contains
secrets in it's state file anyways. Instead of putting them in the repo and
the loading them with "${file("./secret")}"
why not import them directly
into the state file?
When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.
This is a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.
- Follow these instructions to setup a Golang development environment.
- Use
go get
to pull down this repository and compile the binary:
go get -u -v github.com/numtide/terraform-provider-secret
The binary will be placed in $GOPATH/bin
or $HOME/go/bin
if $GOPATH
is not set.
If you are lucky enough to use Nix, it's already part of the full terraform distribution:
nix-env -iA nixpkgs.terraform-full
Clone the repository:
$ git clone [email protected]:numtide/terraform-provider-secret
Enter the provider directory and build the provider
$ cd terraform-provider-secret
$ GO111MODULE=on go build
-
Copy the
terraform-provider-secret
binary to~/.terraform.d/plugins
(recommended) or any location specified by Terraform documentation. -
Add the line
provider "secret" {}
line tomain.tf
To prevent warnings, you may optionally add a version lock to the provider entry in the form ofprovider "secret" { version = "~> X.Y"}
whereX.Y
is the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add_vX.Y
to the provider binary unless you directly use release from Github. -
Run
terraform init
.
Schema:
value
, string: Returns the value of the secret
Here we declare a new resource that will contain the secret.
resource "secret_resource" "datadog_api_key" {
lifecycle {
# avoid accidentally loosing the secret
prevent_destroy = true
}
}
To populate the secret, run
terraform import secret_resource.datadog_api_key TOKEN
where TOKEN
is the value of the token.
Or to import from a file:
terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"
Once imported, the secret can be accessed using
secret_resource.datadog_api_key.value
terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN
The secret values can only contain UTF-8 encoded strings. If the secret is a
binary key, a workaround it to encode it first as base64, then use the
terraform base64decode()
function on usage.
Eg:
terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"
Then on usage:
resource "other_resource" "xxx" {
secret = base64decode(secret_resource.my_binary_key.value)
}
If you wish to work on the provider, you'll first need
Go installed on your machine (version 1.8+ is
required). You'll also need to correctly setup a
GOPATH, as well as adding
$GOPATH/bin
to your $PATH
.
To compile the provider, run make build
. This will build the provider and
put the provider binary in the $GOPATH/bin
directory.
$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...
In order to test the provider, you can simply run make test
.
$ make test
In order to run the full suite of Acceptance tests, run make testacc
.
Note: Acceptance tests create real resources, and often cost money to run.
$ make testacc
- https://github.com/carlpett/terraform-provider-sops - allows to decode in-repo secrets on the fly.
This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.
This work has been sponsored by Digital Asset and Tweag I/O.
This repository is maintained by Numtide
Have questions? Need help? Tweet at @numtide.