https://github.com/numtide/terraform-provider-secret
Terraform provider that holds secrets in its state
https://github.com/numtide/terraform-provider-secret
terraform-provider
Last synced: 6 months ago
JSON representation
Terraform provider that holds secrets in its state
- Host: GitHub
- URL: https://github.com/numtide/terraform-provider-secret
- Owner: numtide
- License: mpl-2.0
- Fork: true (tweag/terraform-provider-secret)
- Created: 2021-06-21T16:29:17.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2023-05-08T16:09:56.000Z (about 3 years ago)
- Last Synced: 2026-01-13T21:54:02.476Z (6 months ago)
- Topics: terraform-provider
- Language: Go
- Homepage:
- Size: 7.89 MB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
Terraform `secret` Provider 💜
===================================
The `secret` provider has one mission: store secrets in the Terraform state.
Please be careful about your security stance before adopting this!
The main goal of this provider is that a lot of time, terraform contains
secrets in it's state file anyways. Instead of putting them in the repo and
the loading them with `"${file("./secret")}"` why not import them directly
into the state file?
When using a remote state file, the state is automatically distributed with
the new secret which makes key rotation easier.
This is a better solution than storing secrets in Git. Look at adopting
Hashicorp Vault in the longer term.
## Requirements
- [Terraform](https://www.terraform.io/downloads.html) 0.12.x
- [Go](https://golang.org/doc/install) 1.11 (to build the provider plugin)
## Installation
### Install via `go get`
1. Follow these [instructions](https://golang.org/doc/install) to setup a Golang development environment.
2. Use `go get` to pull down this repository and compile the binary:
```
go get -u -v github.com/numtide/terraform-provider-secret
```
The binary will be placed in `$GOPATH/bin` or `$HOME/go/bin` if `$GOPATH` is not set.
### Install via Nix
If you are lucky enough to use [Nix](https://builtwithnix.org), it's
already part of the full terraform distribution:
```sh
nix-env -iA nixpkgs.terraform-full
```
### Compile from source
Clone the repository:
```sh
$ git clone git@github.com:numtide/terraform-provider-secret
```
Enter the provider directory and build the provider
```sh
$ cd terraform-provider-secret
$ GO111MODULE=on go build
```
## Usage
### Provider installation
* Copy the `terraform-provider-secret` binary to `~/.terraform.d/plugins` (recommended) or any location specified by [Terraform documentation](https://www.terraform.io/docs/extend/how-terraform-works.html#plugin-locations).
* Add the line `provider "secret" {}` line to `main.tf`
To prevent warnings, you may optionally add a version lock to the provider entry in the form of `provider "secret" { version = "~> X.Y"}` where `X.Y` is the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add `_vX.Y` to the provider binary unless you directly use release from Github.
* Run `terraform init`.
### Using `secret_resource`
**Schema**:
* `value`, string: Returns the value of the secret
### Example
Here we declare a new resource that will contain the secret.
```tf
resource "secret_resource" "datadog_api_key" {
lifecycle {
# avoid accidentally loosing the secret
prevent_destroy = true
}
}
```
To populate the secret, run
```sh
terraform import secret_resource.datadog_api_key TOKEN
```
where `TOKEN` is the value of the token.
Or to import from a file:
```sh
terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"
```
Once imported, the secret can be accessed using
`secret_resource.datadog_api_key.value`
### Rotating secrets
```sh
terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN
```
### Importing binary secrets
The secret values can only contain UTF-8 encoded strings. If the secret is a
binary key, a workaround it to encode it first as base64, then use the
terraform `base64decode()` function on usage.
Eg:
```sh
terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"
```
Then on usage:
```tf
resource "other_resource" "xxx" {
secret = base64decode(secret_resource.my_binary_key.value)
}
```
## Developing the Provider
If you wish to work on the provider, you'll first need
[Go](http://www.golang.org) installed on your machine (version 1.8+ is
*required*). You'll also need to correctly setup a
[GOPATH](http://golang.org/doc/code.html#GOPATH), as well as adding
`$GOPATH/bin` to your `$PATH`.
To compile the provider, run `make build`. This will build the provider and
put the provider binary in the `$GOPATH/bin` directory.
```sh
$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...
```
In order to test the provider, you can simply run `make test`.
```sh
$ make test
```
In order to run the full suite of Acceptance tests, run `make testacc`.
*Note:* Acceptance tests create real resources, and often cost money to run.
```sh
$ make testacc
```
## Related projects
* https://github.com/carlpett/terraform-provider-sops - allows to decode
in-repo secrets on the fly.
## License
This work is licensed under the Mozilla Public License 2.0. See
[LICENSE](LICENSE) for more details.
## Sponsors
This work has been sponsored by [Digital Asset](https://digitalasset.com) and [Tweag I/O](https://tweag.io).
[](http://digitalasset.com)
[](https://tweag.io)
This repository is maintained by [Numtide](http://numtide.com)
Have questions? Need help? Tweet at
[@numtide](http://twitter.com/numtide).