-
Notifications
You must be signed in to change notification settings - Fork 764
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add example of setting state encryption passphrase via environment variable #1644
Conversation
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Reminder for the PR assignee: If this is a user-visible change, please update the changelog as part of the PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for making this change. I have a few suggestions on my side.
@@ -54,9 +57,9 @@ Research in cryptography can change the state of the art quickly. We will suppor | |||
|
|||
## Configuration | |||
|
|||
You can configure encryption in OpenTofu either by specifying the configuration in the OpenTofu code, or using the `TF_ENCRYPTION` environment variable. Both solutions are equivalent and if you use both, OpenTofu will merge the two configurations, overriding any code-based settings with the environment ones. | |||
You can configure encryption in OpenTofu either by specifying the configuration in the OpenTofu code, or using the `TF_ENCRYPTION` environment variable. If you use both, OpenTofu will add non-existing **block** entries in OpenToFu code with the blocks (e.g. `key_provider "pbkdf2" "main" { ... }`) defined in `TF_ENCRYPTION`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer if this block to remain unchanged as the configuration will still be merged and that language should stay there. I would also advise against including longer inline blocks as it hinders readability. Also, this example doesn't mention the pbkdf2
provider, so mentioning it in the text may be confusing.
@@ -70,6 +73,21 @@ The basic configuration structure looks as follows: | |||
</TabItem> | |||
</Tabs> | |||
|
|||
Below is an example of setting the Passphrase for the "`pbkdf2`" key provider via the `TF_ENCRYPTION` environment variable to avoid hard coding sensitive data in the OpenToFu configuration file: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest using active voice as much as possible:
Below is an example of setting the Passphrase for the "`pbkdf2`" key provider via the `TF_ENCRYPTION` environment variable to avoid hard coding sensitive data in the OpenToFu configuration file: | |
You can also pass in a partial configuration using environment variables. The following example shows how you can pass in the passphrase for the `pbkdf2` provider using an environment variable, but use the rest of the configuration from the OpenTofu code files. |
Also, I wonder if we want to specifically use the pbkdf2
provider in this example as it is but one provider that should not receive preferential treatment.
Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
…ation (#1671) Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
As identified in #1642 the documentation on usage of
TF_ENCRYPTION
environment variable is incorrect.This pull request:
terraform
,encryption
) from State EncryptionTF_ENCRYPTION
variable Shell and Powershell examples.pbkdf2
key provider viaTF_ENCRYPTION
.Resolves #1642