-
Notifications
You must be signed in to change notification settings - Fork 27
Home
Laurent Nicolas edited this page Sep 16, 2022
·
6 revisions
Please see
- https://www.terraform.io/language/state/sensitive-data
- https://learn.hashicorp.com/tutorials/terraform/sensitive-variables
In a nutshell
- declare sensitive variables in a variable.tf files, and reference them in other resources files
- initialize the variables by using a
.tfvarsfile or by environment variables of the form:TF_VARS_<var_name>
For instance, in variables.tf
variable "cvo_svm_admin_password" {
type = string
sensitive = true // NOTE: requires Terraform 0.14 or above
}
access the variable in other .tf files as
svm_password = var.cvo_svm_admin_password
and then initialize the value with
either
export TF_VAR_cvo_svm_admin_password=my_password
or use a protected .tfvars file with
cvo_svm_admin_password = "my_password"
Terraform acknowledges this is an issue, and recommends to encrypt the state file
If this is not satisfactory, a manual solution is to use a temporary password, that is still exposed in the state file, and then update the password post deployment.
You may also use the lifecycle meta-argument to make sure that Terraform will not update a resource because the password is different in the state file.
lifecycle {
ignore_changes = [
svm_password,
]
}
svm_password = var.cloudmanager_cvo_azure_svm_password
If you need to update the password, just comment out the variable name from the ignore_changes list:
lifecycle {
ignore_changes = [
# svm_password,
]
}
svm_password = var.cloudmanager_cvo_azure_svm_password