README
¶
Terraform secret Provider 💜
The secret provider has one mission: store secrets in the Terraform state.
Please be careful about your security stance before adopting this!
The main goal of this provider is that a lot of time, terraform contains
secrets in it's state file anyways. Instead of putting them in the repo and
the loading them with "${file("./secret")}" why not import them directly
into the state file?
When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.
This is only a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.
Requirements
How to install
Building from source
- Follow these instructions to setup a Golang development environment.
- Use
go getto pull down this repository and compile the binary:
go get -u -v github.com/tweag/terraform-provider-secret
Using Nix
If you are lucky enough to use Nix, it's already part of the full terraform distribution:
nix-env -iA nixpkgs.terraform-full
Building The Provider
Clone repository to: $GOPATH/src/github.com/tweag/terraform-provider-secret
$ git clone git@github.com:tweag/terraform-provider-secret $GOPATH/src/github.com/tweag/terraform-provider-secret
Enter the provider directory and build the provider
$ cd $GOPATH/src/github.com/tweag/terraform-provider-secret
$ make build
Using the provider
secret_resource
Schema:
value, string: Returns the value of the secret
Example
Here we declare a new resource that will contain the secret.
resource "secret_resource" "datadog_api_key" {
lifecycle {
# avoid accidentally loosing the secret
prevent_destroy = true
}
}
To populate the secret, run
terraform import secret_resource.datadog_api_key TOKEN
where TOKEN is the value of the token.
Once imported, the secret can be accessed using
secret_resource.datadog_api_key.value
Rotating secrets
terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN
Developing the Provider
If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.
To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.
$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...
In order to test the provider, you can simply run make test.
$ make test
In order to run the full suite of Acceptance tests, run make testacc.
Note: Acceptance tests create real resources, and often cost money to run.
$ make testacc
License
This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.
Sponsors
This work has been sponsored by Digital Asset and Tweag I/O.
This repository is maintained by Tweag I/O
Have questions? Need help? Tweet at @tweagio.
Documentation
¶
There is no documentation for this package.
Source Files
Directories