doc: add example of setting state encryption passphrase via environment variable #1644
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
Signed-off-by: Wasabi ワサビ /°\ <3478932+111a5ab1@users.noreply.github.com>
|
Reminder for the PR assignee: If this is a user-visible change, please update the changelog as part of the PR. |
janosdebugs
reviewed
May 13, 2024
| @@ -54,9 +57,9 @@ Research in cryptography can change the state of the art quickly. We will suppor | |||
|
|
|||
| ## Configuration | |||
|
|
|||
| You can configure encryption in OpenTofu either by specifying the configuration in the OpenTofu code, or using the `TF_ENCRYPTION` environment variable. Both solutions are equivalent and if you use both, OpenTofu will merge the two configurations, overriding any code-based settings with the environment ones. | |||
| You can configure encryption in OpenTofu either by specifying the configuration in the OpenTofu code, or using the `TF_ENCRYPTION` environment variable. If you use both, OpenTofu will add non-existing **block** entries in OpenToFu code with the blocks (e.g. `key_provider "pbkdf2" "main" { ... }`) defined in `TF_ENCRYPTION`. | |||
There was a problem hiding this comment.
I would prefer if this block to remain unchanged as the configuration will still be merged and that language should stay there. I would also advise against including longer inline blocks as it hinders readability. Also, this example doesn't mention the pbkdf2 provider, so mentioning it in the text may be confusing.
| @@ -70,6 +73,21 @@ The basic configuration structure looks as follows: | |||
| </TabItem> | |||
| </Tabs> | |||
|
|
|||
| Below is an example of setting the Passphrase for the "`pbkdf2`" key provider via the `TF_ENCRYPTION` environment variable to avoid hard coding sensitive data in the OpenToFu configuration file: | |||
There was a problem hiding this comment.
I would suggest using active voice as much as possible:
Suggested change
| Below is an example of setting the Passphrase for the "`pbkdf2`" key provider via the `TF_ENCRYPTION` environment variable to avoid hard coding sensitive data in the OpenToFu configuration file: | |
| You can also pass in a partial configuration using environment variables. The following example shows how you can pass in the passphrase for the `pbkdf2` provider using an environment variable, but use the rest of the configuration from the OpenTofu code files. |
Also, I wonder if we want to specifically use the pbkdf2 provider in this example as it is but one provider that should not receive preferential treatment.
janosdebugs
added a commit
that referenced
this pull request
May 22, 2024
Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
janosdebugs
added a commit
that referenced
this pull request
May 22, 2024
janosdebugs
added a commit
that referenced
this pull request
May 22, 2024
…ation (#1671) Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As identified in #1642 the documentation on usage of
TF_ENCRYPTIONenvironment variable is incorrect.This pull request:
terraform,encryption) from State EncryptionTF_ENCRYPTIONvariable Shell and Powershell examples.pbkdf2key provider viaTF_ENCRYPTION.Resolves #1642