Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: create missing secrets #2

Open
gibbsoft opened this issue Feb 7, 2017 · 6 comments
Open

Feature request: create missing secrets #2

gibbsoft opened this issue Feb 7, 2017 · 6 comments

Comments

@gibbsoft
Copy link

gibbsoft commented Feb 7, 2017

Great plugin, thanks so much for writing this!

It would be really useful if the plugin could work something like this, although I'm not sure of the constraints of the data provider:

data "credstash_secret" "ssh_key" {
  name               = "ssh_key.public"
  command_if_missing = ["bash -x bin/generate_ssh_keypair.sh"]
}

This would mean that secrets wouldn't have to be preloaded into credstash, but could be dynamically created when required.
@tmichel
Copy link
Member

tmichel commented Feb 13, 2017

This is an interesting idea. I think data sources are for read only data so if you want to create secrets that should be a terraform resource instead. I feel that hard coding a passwords in terraform config is not the best way to go about this but generating it on-demand could be viable approach.

Terraform stores everything in plain text in the state file. It is bad enough that sensitive data end up there as well so secrets retrieved by this provider are also leaked into the state. Putting passwords or any kind of secret in source control rubs me the wrong way so I'm hesitant about a feature that encourages this.

There are some really nice improvements coming in the next major release (hashicorp/terraform#11286) that could improve secrets handling in terraform.

@gibbsoft
Copy link
Author

gibbsoft commented Feb 13, 2017
edited
Loading

I agree. I like the idea that passwords and keys are created, stored and used dynamically without humans ever knowing what they are. The problem with using a resource to create the secret and also a data source to read it is that it's difficult to avoid a cyclic dependency, whereas if the data source fails upon lookup and passes off to a script, the script can create the missing secrets in credstash and output the newly generated data via stdout which can be captured and used as the value for the data source.

@tmichel
Copy link
Member

tmichel commented Feb 22, 2017

I still think that if we ever add the ability to store secrets via this provider then that must be a terraform resource. It would make sense in some cases to accepts a value that is later stored in credstash. It would be pretty useful for AWS keys that are used for applications. That way you could generate them with terraform and store them in credstash without ever touching them or knowing their actual value.

@mrjavaguy
Copy link

I too would like someway to store secrets with Terraform.

@qrkourier
Copy link

I thought I needed this, but instead I used this approach to put a new version in the credential store whenever the resource is (re)created.

  user = "${aws_iam_user.internal.name}"

  provisioner "local-exec" {
    command = "credstash put -a internal_aws_secret_access_key ${aws_iam_access_key.internal.secret}"
  }

}

@vikas027
Copy link

@qrkourier - I think one benefit is that terraform (0.12) hides the sensitive stuff like passwords for us in plan/apply which command will not.

@tmichel tmichel mentioned this issue Oct 24, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tmichel @qrkourier @mrjavaguy @gibbsoft @vikas027