This Terraform provides allows to use secrets in terraform and commit them encrypted in your repository. The philosophy of this provider is the same as chef's encrypted data bags. This provider is composed of the provider itself and a cli tool called tf-secrets to manage encrypted terraform vars.
The crypto algorithms used are :
- Argon2 as key generation algorithm
- AES256 as block cipher algorithm
This provider plugin is maintained by Sedicii.
curl https://raw.githubusercontent.com/Sedicii/terraform-provider-secrets/master/scripts/install-secrets-tf-plugin.sh | bashcurl https://raw.githubusercontent.com/Sedicii/terraform-provider-secrets/master/scripts/install-secrets-tf12-plugin.sh | bash
provider "secrets" {
version = "~> 0.1.0"
}
data "secrets_decrypt" "github_oauth_token" {
var = "${var.github_oauth_token}"
password = "${var.secrets_master_password}"
}
output "github_oauth_token" {
value = "${data.secrets_decrypt.github_oauth_token.value}"
}
# To create a new secrets file
tf-secrets create github.secrets.tfvars -p <secrets_master_password>
# To edit a secrets file
tf-secrets edit github.secrets.tfvars -p <secrets_master_password>For a more detailed example look at the example directory
Clone repository to: $GOPATH/src/github.com/sedicii/terraform-provider-secrets
$ mkdir -p $GOPATH/src/github.com/sedicii; cd $GOPATH/src/github.com/sedicii
$ git clone git@github.com:sedicii/terraform-provider-secretsEnter the provider directory and build the provider
$ cd $GOPATH/src/github.com/sedicii/terraform-provider-secrets
$ make buildIf you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.
To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.
$ make bin
...
$ $GOPATH/bin/terraform-provider-secrets
...In order to test the provider, you can simply run make test.
$ make test