The secret provider has one mission: store secrets in the Terraform state.
Please be careful about your security stance before adopting this!
The main goal of this provider is that a lot of time, terraform contains
secrets in it's state file anyways. Instead of putting them in the repo and
the loading them with "${file("./secret")}" why not import them directly
into the state file?
When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.
This is a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.
- Follow these instructions to setup a Golang development environment.
- Use
go getto pull down this repository and compile the binary:
go get -u -v github.com/tweag/terraform-provider-secret
The binary will be placed in $GOPATH/bin or $HOME/go/bin if $GOPATH is not set.
If you are lucky enough to use Nix, it's already part of the full terraform distribution:
nix-env -iA nixpkgs.terraform-fullClone the repository:
$ git clone git@github.com:tweag/terraform-provider-secretEnter the provider directory and build the provider
$ cd terraform-provider-secret
$ GO111MODULE=on go build-
Copy the
terraform-provider-secretbinary to~/.terraform.d/plugins(recommended) or any location specified by Terraform documentation. -
Add the line
provider "secret" {}line tomain.tfTo prevent warnings, you may optionally add a version lock to the provider entry in the form ofprovider "secret" { version = "~> X.Y"}whereX.Yis the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add_vX.Yto the provider binary unless you directly use release from Github. -
Run
terraform init.
Schema:
value, string: Returns the value of the secret
Here we declare a new resource that will contain the secret.
resource "secret_resource" "datadog_api_key" {
lifecycle {
# avoid accidentally loosing the secret
prevent_destroy = true
}
}To populate the secret, run
terraform import secret_resource.datadog_api_key TOKENwhere TOKEN is the value of the token.
Or to import from a file:
terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"Once imported, the secret can be accessed using
secret_resource.datadog_api_key.value
terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKENThe secret values can only contain UTF-8 encoded strings. If the secret is a
binary key, a workaround it to encode it first as base64, then use the
terraform base64decode() function on usage.
Eg:
terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"Then on usage:
resource "other_resource" "xxx" {
secret = base64decode(secret_resource.my_binary_key.value)
}If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.
To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.
$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...In order to test the provider, you can simply run make test.
$ make testIn order to run the full suite of Acceptance tests, run make testacc.
Note: Acceptance tests create real resources, and often cost money to run.
$ make testacc- https://github.com/carlpett/terraform-provider-sops - allows to decode in-repo secrets on the fly.
This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.
This work has been sponsored by Digital Asset and Tweag I/O.
This repository is maintained by Tweag I/O
Have questions? Need help? Tweet at @tweagio.