Reputation: 454
Hiding a secret in Terraform for Azure with a caveat
So I am trying to find someway to hide a secret in Terraform. The caveat is the secret is a Service Principal that is used to connect to our Key Vault. I can't store the secret in the Key Vault as it hasn't connected to the Key Vault yet at that point. This is part of my main tf file.
provider "azurerm" {
alias = "kv_prod"
version = "1.28"
tenant_id = "<tenant id>"
subscription_id = "<sub id>"
client_id = "<SP client id>"
client_secret = "<SP secret>"
}
This is used further down my module to store Storage Account keys and other secrets. It just happens to be in a Prod subscription that not everyone has access to.
Has anyone run into something like this? If so, how would you go about securing that secret?
Upvotes: 2
Views: 2269
Answers (4)
Reputation: 5783
Terraform doesn't have this feature but by using third party integration it can be achieved.
Storing Secret in Terraform:
Terraform has an
externaldata resource that can be used to run an external program and use the return value further. I have used Ansible vault feature to encrypt and decrypt the secrets and store it encrypted in repository rather as plaintext.data "external" "mysecret" { program = ["bash", "-c", "${path.module}/get_ansible_secret.sh"] query = { var = "${var.secret_value}" vault_password_file = "${path.module}/vault-password.sh" # The file containing the secret we want to decrypt file = "${var.encrypted_file}" } }
Refer the working example: github example
Upvotes: 1
Reputation: 454
Going to create an ADO pipeline to handle this instead where the code just does not have to be available.
Upvotes: 0
Reputation: 1153
@maltman There are several ways to hide a secret in terraform. Here is a blog that talks about them:
https://www.linode.com/docs/applications/configuration-management/secrets-management-with-terraform/
However if you are only concerned about encrypting the secrets file while checking in and checking out from git, you can use something like git-crypt
You would have to create a couple of files:
variables.tf -> Define your variables here
variable "client_secret" {
description = "Client Secret"
}
terraform.tfvars -> Give the value of the variable here
client_secret = 'your-secret-value'
Now use git-crypt to encrypt terraform.tfvars while checking into git
Upvotes: 4
Reputation: 31462
For your requirements, I think there are two secure ways for you in comparison.
One is that stored the credential as environment variables so that you do not expose the secret in the tf files. Here's the example.
The other one is that you can log in with the credential for Azure CLI, then just need to set the subscription without exposing the secret in the tf file. Here's the example.
The above two ways are that what I think is secure and possible for you. Hope it helps you.
Upvotes: 2
Related Questions
- terraform on azure - create keyvault with private connection
- Terraform with Azure Key Vault to get secret value
- Terraform create a azure key vault
- Azure :: Terraform fails on azure keyvault secrets
- Terraform: Adding sensitive data to Azure KeyVault
- Azure Terraform Unable to Set secret in KeyVault during deployment
- How to create secret in existing keyvault with Terraform?
- Prevent KeyVault from updating secrets using Terraform
- Terraform key vault access policy
- Terraform Populate secrets from central key vault