dopplerhq / terraform-provider-doppler Goto Github PK

It would be wonderful if there were some docs/examples on how to use the doppler provider with Terraform CDK

Hi,
due to enforcing AWS tags in our organization, we need to have the support of tags on doppler_secrets_sync_aws_secrets_manager (Resource).

Hi! We're currently switching from Amazon Secret Manager in K8s to Fly.io and we love the doppler integration. Only thing that bugs us is the clicked state in Doppler for the integration management. I'd love to see it being supported by the Terraform provider, so we can instantly populate the integration with the fly.io token coming from their Terraform provider.

Our current stack relies heavily on referencing secrets. I thought it was possible to create them via the terraform provider, because I saw the following sentence in the docs:

computed (String, Sensitive) The computed secret value, after resolving secret references
(https://registry.terraform.io/providers/DopplerHQ/doppler/latest/docs/resources/secret)

But I couldn't find any way to do this. I guess this is not yet supported?

Hi, Thank you so much for this service! I am definitely impressed with it.

Might I suggest the ability to create service tokens with this provider? I would like to be able to create them in terraform in inject them into certain resources.

Regards,
Zhak

Hi Doppler team,

The current Terraform provider would be significantly more useful if it were possible to create Project resources. This would make it more practical to adopt IaC best practices as currently requires a developer to manually create each Doppler project before being able to push secrets to it.

Thank you!

When a user applies an update to a doppler_secret resoruce and changes the project attribute, an update-in-place occurs. The new secret is provisioned as expected, however the old secret is not deleted.

The expected behavior is that if you update a secret resource and only the new secret will exist.

When multiple service tokens are created for the same config, the returned permission level during Terraform state refresh is incorrect.

Reproduce:

provider "doppler" {}

resource "doppler_project" "this" {
  name        = "test-project"
}

resource "doppler_environment" "environment" {
  project = doppler_project.this.name
  name    = "local"
  slug    = "local"
}

resource "doppler_service_token" "service_token_read" {
  project = doppler_project.this.name
  config  = doppler_environment.environment.slug
  name    = "read"
  access  = "read"

  depends_on = [
    doppler_environment.environment
  ]
}

resource "doppler_service_token" "service_token_write" {
  project = doppler_project.this.name
  config  = doppler_environment.environment.slug
  name    = "write"
  access  = "read/write"

  depends_on = [
    doppler_environment.environment
  ]
}

1. run terraform apply
2. run terraform apply again

The 1st run successfully creates the tokens with the required permission levels.
Response on the 2nd run:

Terraform will perform the following actions:

  # doppler_service_token.service_token_read must be replaced
-/+ resource "doppler_service_token" "service_token_read" {
      ~ access  = "read/write" -> "read" # forces replacement
      ~ id      = "test-project.local.73df0b0c-b6a1-4036-aa2a-6a379a0c675a" -> (known after apply)
      ~ key     = (sensitive value)
        name    = "read"
        # (2 unchanged attributes hidden)
    }

Hey,

I use Doppler with Terraform to create temporary environments where developpers can override a base config. So, I'll apply/destroy on a regular basis.

Everything works well when creating the resources, but when I destroy, I get the following error on doppler_config resource:

(I renamed resources and simplified the destroy plan)

  # doppler_config.example will be destroyed
  - resource "doppler_config" "example" {
      - environment = "dev" -> null
      - id          = "example-project.dev.dev_custom_env" -> null
      - name        = "dev_custom_env" -> null
      - project     = "example-project" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

doppler_config.example: Destroying... [id=example-project.dev.dev_custom_env]
doppler_config.example: Still destroying... [id=example-project.dev.dev_custom_env, 10s elapsed]
╷
│ Error: Doppler Error: Could not find requested config 'dev_custom_env'
│
│

The thing is, the resource is destroyed, but Terraform yields an error, its state is corrupted (since it "failed" to delete but it did it anyway) and the error still shows up.

More info on my setup:

> terraform --version
Terraform v1.3.2
...
doppler = {
  source  = "DopplerHQ/doppler"
  version = "1.1.6"
}

If you have any ideas where this can come from, I'm interested. Thanks!

I have a usage question which I can't seem to be able to figure out. Last week I was using the provider to only query the secrets on our account by using the doppler_secrets data source

data "doppler_secrets" "test" { }

This week I wanted to not only grab the secrets from Doppler but manage them through Terraform too. So what I did was add a couple of doppler_secret resources:

resource "doppler_secret" "elasticsearch" {
  project = "test"
  config  = var.environment
  name    = "endpoint"
  value   = "https://${var.elasticsearch_domain}"
}

Previously I had an output to my Doppler module like this:

output "apollo_secrets" {
  description = "List of all Doppler test project secrets"
  sensitive   = true
  value       = data.doppler_secrets.test.map
}

Now when I try to manage Doppler secrets using Terraform apparently the data object gets changed in a way in which it tries to replace all resources that are using the secrets (eg: Aurora databases since it thinks we have a new username,password).

Before this when we updated doppler secrets by hand on the website without using doppler_secret resources we didn't have this problem. Is there a way to solve this issue ? Is there a way to manage Doppler secrets and use the datasource without having Terraform think we're going to destroy everything?

Hi,

I was hoping to create a new Branch config with terraform. Equivalent of:

Here is my code: unfortunately this does not work because it creates a new environment with name dev_frontend instead of a branch frontend under dev:

resource "doppler_environment" "frontend" {
  project = local.doppler_project
  slug = "${var.environment}_frontend"
  name = "Frontend"
}

I think this might not be supported at this point so I'd love to request this as a feature.

The usage example in the README states that you pass in your token via the token parameter, but in actuality, you pass it in through the doppler_token parameter. I suggest updating the example since it threw me off as to why terraform kept asking for the token other than that awesome provider can't wait for the ability to upsert secrets.

Hi Doppler team,

we are using Doppler to create secrets via Terraform. Each project has around 30-40 secrets to create.
Occasionally the initial deployment (secret creation) fails with context deadline exceeded (Client.Timeout exceeded while awaiting headers) error. Subsequent runs work as expected.
Terroform is deployed via GitHub actions.

Please let me know if you need any further information. Thanks.

I attempted to import an existing Doppler project that has existing secrets in it that I'd rather not nuke and recreate:

$ terraform import doppler_project.aegn_host_common aegn_host_common

My expectation is that this should import the Doppler project with id aegn_host_common. Instead, I saw:

error: resource doppler_project doesn't support import

It looks like the provider needs support for imports. This is likely to be important in more serious environments than mine. It'd be worth considering adding!

Is there a plan to support valueType when creating secrets? Looking at the API docs here https://docs.doppler.com/reference/secrets-update

Thanks!

You have a Doppler Terraform Provider which has a group resource. It would be nice to have the ability to manage (add/remove) users from a group. This would be useful for us to manage access to groups programmatically via Terraform.

I'd love to use the new feature via Terraform. is it already planned or even possible at all to integrate? :)

When managing secrets, if terraform attempts to set a value for a secret that exists, but has an empty value (for example, when creating a resource for a new environment in an existing project), having a nil value for that secret leads the terraform provider to believe it doesn't have access to retrieve it, rather than correctly realizing the secret simply has an empty value.

Reproduction:

1. Create a new environment in an existing project.
2. Create a secret in an existing environment via terraform.
3. Change the secret to point to the new project instead (note that when I did this, I had separate tokens for each of the two projects, with separate terraform configs).
4. Run terraform apply.

Example of the error:

╷
│ Error: One or more secret fields are restricted: [raw computed]. You must use a service account or service token to manage these resources. Otherwise, Terraform cannot fetch these restricted secrets to check the validity of their state.
│
│   with doppler_secret.cnpg_backup_key_bitty,
│   on b2_bitty_cnpg_backup_bucket.tf line 12, in resource "doppler_secret" "cnpg_backup_key_bitty":
│   12: resource "doppler_secret" "cnpg_backup_key_bitty" {
│
╵

Remediations attempted:

• Using a personal token
• Upgrading to teams and using a service account

Successful remediation:
To fix this broken state, I had to set a bogus password value "asdf" through the UI, and then re-run terraform apply.

Provider Configs:

variable "doppler_token" {
  type = string
}

provider "doppler" {
  doppler_token = var.doppler_token
}

provider "doppler" {
  doppler_token = data.doppler_secrets.tf_read.map.DOPPLER_BITTY_WRITE_TOKEN
  alias         = "bty_write"
}

provider "doppler" {
  doppler_token = data.doppler_secrets.tf_read.map.DOPPLER_CHONGUS_WRITE_TOKEN
  alias         = "cho_write"
}

data "doppler_secrets" "tf_read" {
  project = "tf-at-home"
  config  = "prd"
}

relevant secret entry:

resource "doppler_secret" "cnpg_backup_key_bitty" {
  provider = doppler.bty_write
  project  = "k8s-at-home"
  config   = "bty"
  name     = "CNPG_BACKUP_BACKBLAZE_BUCKET"
  value = jsonencode({
    "application_key_id" = module.bb_bucket_k8s_bitty_rtrox_io_cnpg_backup.application_keys["k8s-bitty-rtrox-io-cnpg-backup"].application_key_id,
    "application_key"    = module.bb_bucket_k8s_bitty_rtrox_io_cnpg_backup.application_keys["k8s-bitty-rtrox-io-cnpg-backup"].application_key
    "endpoint"           = module.bb_bucket_k8s_bitty_rtrox_io_cnpg_backup.bucket.endpoint
    "bucket"             = module.bb_bucket_k8s_bitty_rtrox_io_cnpg_backup.bucket.bucket_name
  })
}

This is the relevant code, it seems to naively assume that a nil value means it doesn't have access:

Which license is this provided under? I've made NixOS/nixpkgs#250556 but the question has been raised regarding which license this provider uses, as in my original commits for the PR I had assumed it was under MPL. If I could get some clarification it'd be much appreciated, thank you.

Hey 👋 Any plans to support a tflint plugin for doppler?

It may already be possible to do this, so this might just be an ask for some documentation!

My current terraform configuration needs to use secrets from multiple separate doppler projects via separate doppler tokens. Is there a recommended way to do that? I imagine you can use multiple provider configurations with different aliases, but I'm not clear on how the data "doppler_secrets" "this" {} block would refer to one or the other provider.

Hi,
I think I noticed a weird behaviour. I was renaming secrets, because of a fail I did and then noticed that both secrets exist in my doppler project. Is there a reason you don't delete the old one?

I'd love to be able to add some secret metadata using the "Notes" feature using the Terraform provider. The use case would be marking certain secrets as being managed by TF as opposed to manually entered. e.g.

resource "doppler_secret" "managed_secrets" {
  for_each = {
    "my_secret_1" = "foo", 
    "my_secret_2" = "bar"
  }
  project  = "my-project"
  config   = "prod"
  name     = each.key
  value    = each.value
  note     = "DO NOT EDIT - Managed by Terraform"
}

Hello. Just started working with doppler but managed to hit a nasty bug. Every time I try to create multiple secret resources, they simply don't show up in the Doppler web UI. Here, for example, I have 11 secrets but running terraform apply only creates maybe 3 of them and always in some random order. Running terraform apply multiple times will actually create all the secrets eventually.

Weirdly enough, If I declare them explicitly without the for_each loop and add dependencies for one another so that the secrets wouldn't be made in parallel, works fine

resource "random_password" "app_key" {
  length = 32
}

resource "random_password" "db_password" {
  length = 32
}

resource "random_password" "jwt_secret" {
  length = 32
}

resource "doppler_secret" "secret" {
  for_each = tomap({
    APP_KEY = random_password.app_key.result
    JWT_SECRET = random_password.jwt_secret.result

    HOST = "0.0.0.0"
    PORT = 3333
    CACHE_VIEWS = false

    DB_CONNECTION = "pg"

    PG_HOST = "postgresql"
    PG_PORT = 5432
    PG_USER = "root"
    PG_PASSWORD = random_password.db_password.result
    PG_DB_NAME = "crushtime"
  })
  project = "crushtime-api"
  config = "stg"
  name = each.key
  value = each.value
}

Pasarjackpot

I have some Terraform code that gives our CI/CD service access to each environment for a project.

resource "doppler_project_member_service_account" "ci_cd" {
  for_each = var.ci_cd_sa_slug != null ? var.tenant_environment_map : {}

  project              = doppler_project.this[each.key].name
  service_account_slug = var.ci_cd_sa_slug
  role                 = "viewer"
  environments         = sort(keys(each.value))
}

This code creates the service account association just fine...except that environments takes a set, and the ordering of the set determines whether the resource should be replaced.

  ~ resource "doppler_project_member_service_account" "ci_cd" {
      ~ environments         = [
          + "dev",
          + "dev2",
          + "dev3",
            "prod",
            "stg",
          - "dev3",
          - "dev2",
          - "dev",
            "test",
        ]
        id                   = "paradox-olivia-media.service_account.ed8dc790-163b-424d-a16e-b769ab48359e"
        # (3 unchanged attributes hidden)
    }

As you can see, Terraform wants to update this resource in-place to change the ordering. However, Doppler continues to use whatever ordering it wants after the Terraform is applied, so the code is not idempotent and Terraform always reports changes. My assumption is Doppler sorts the set some other way, such as a slug/GUID/etc for the environment, and therefore the API always reports changes because it sorts in that order.

So that leaves my options as either:

• Figure out how Doppler is sorting my environments on a per-environment basis for every single project and always pass in the environments in that order in the Terraform, which requires overriding my set order for all of them (ugh).
• Use an ignore_changes lifecycle hook, and comment/uncomment this as needed to add, update, or remove environments for my projects (also ugh).

I'm open to workarounds if any exist, but I would consider this a bug because Terraform runs should be idempotent and this resource seems to be quite opinionated about what order items are passed into the set and ignores the user's ordering.

I had a project with a few envs and configs, created by terraform.
Then I added secrets in configs and github integration.
At some point I decided to rename the project in terraform. Terraform did rename the project but also re-created all envs/configs. So all secrets were removed, and integrations were as well.

Example code:

resource "doppler_project" "project1" {
  name        = "project1"
}

resource "doppler_environment" "prod" {
  project = doppler_project.project1.name
  slug    = "prod"
  name    = "prod"
}

# config for prod-gh
resource "doppler_config" "prod_gh" {
  project     = doppler_project.project1.name
  environment = doppler_environment.prod.slug
  name        = "${doppler_environment.prod.slug}_gh"
}

Then I renamed prod environment to prd:

resource "doppler_environment" "prod" {
  project = doppler_project.project1.name
  slug    = "prd"
  name    = "prd"
}

This caused prod_gh config to be re-created and all secrets in it were removed as well.

Expected behavior: envs updated in-place(renamed), without impact on configs.

Support Expiration on doppler_service_token

Hi, I'm in the process of creating modules for my team to use and noticed that I'm unable to import AWS Parameter Store integrations and secrets sync. This is a bit of a blocker, since we have quite a few configured and would rather import than delete and re-create.

terraform import 'module.aws_ps_integrations["doppler_dev"].doppler_integration_aws_parameter_store.this[0]' "Doppler DEV"

│ Error: resource doppler_integration_aws_parameter_store doesn't support import

The same error for Secrets Sync (not sure what would be used to import though)

Would it be possible to add them as I'm sure others with more extensive integration and sync would appreciate this.

We have a use case for adding a static set of IP addresses to the Trusted IPs of all of our configs. For this, it would be very helpful to be able to manage trusted IPs when deploying configs via Terraform.

Example:

resource "doppler_config" "this" {
  project = "my-project"

  environment = "dev"
  name        = "dev"
  
  trusted_ips = [ "1.2.3.4", "5.6.7.8" ]
}

This would prevent us inventing some complicated workaround or automation logic, which would also likely reduce unnecessary API calls to the Add endpoint.

Hello! This issue is forked from #14.

When I run terraform apply to create a new project with provider 1.2.2 like this:

terraform {
  required_providers {
    doppler = {
      source = "DopplerHQ/doppler"
    }
  }
}

variable "doppler_token" {
  type = string
}

provider "doppler" {
  doppler_token = var.doppler_token
}

resource "doppler_project" "alexmuller-test-6" {
  name = "alexmuller-test-6"
  description = "testing"
}

using a dp.pt personal token, the Terraform process errors with:

Error: Doppler Error: You do not have access to this project.

However the project does get created (but not stored in terraform.tfstate because of the error?)

I can request it over the HTTP API using the same token:

http https://api.doppler.com/v3/projects/project\?project\=alexmuller-test-6 "Authorization:Bearer dp.pt.redacted"
HTTP/1.1 200 OK

{
    "project": {
        "created_at": "2023-06-27T08:50:37.655Z",
        "description": "testing",
        "id": "alexmuller-test-6",
        "name": "alexmuller-test-6",
        "slug": "alexmuller-test-6"
    },
    "success": true
}

Is this maybe some kind of race condition where Terraform tries to verify the project creation quickly after creation, and the API doesn't have the project fully created?

2023-06-27T09:50:37.300+0100 [DEBUG] provider: using plugin: version=5
2023-06-27T09:50:37.300+0100 [DEBUG] provider.terraform-provider-doppler_v1.2.2: plugin address: address=/var/folders/w7/p2sy_p9x7d9cjpsznc91yh4r0000gq/T/plugin4251998933 network=unix timestamp=2023-06-27T09:50:37.300+0100
2023-06-27T09:50:37.307+0100 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/dopplerhq/doppler\"]" changed the config value, but that value is unused
doppler_project.alexmuller-test-6: Creating...
2023-06-27T09:50:37.310+0100 [INFO]  Starting apply for doppler_project.alexmuller-test-6
2023-06-27T09:50:37.310+0100 [DEBUG] doppler_project.alexmuller-test-6: applying the planned Create change
2023-06-27T09:50:37.874+0100 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-06-27T09:50:37.874+0100 [ERROR] vertex "doppler_project.alexmuller-test-6" error: Doppler Error: You do not have access to this project.
╷
│ Error: Doppler Error: You do not have access to this project.
│
│   with doppler_project.alexmuller-test-6,
│   on main.tf line 18, in resource "doppler_project" "alexmuller-test-6":
│   18: resource "doppler_project" "alexmuller-test-6" {
│
╵
2023-06-27T09:50:37.888+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-06-27T09:50:37.889+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/dopplerhq/doppler/1.2.2/darwin_arm64/terraform-provider-doppler_v1.2.2 pid=14229
2023-06-27T09:50:37.889+0100 [DEBUG] provider: plugin exited

A new exciting feature was released by doppler to enable the use of service accounts. This is great really. I would like to be able to configure the same using terraform.

https://docs.doppler.com/docs/service-accounts

When trying to create an AWS Parameter Store Secrets Sync resource with multiple environments, the creation errors out with the following error message:

module.aws_ps_syncs["ap_southeast_2"].doppler_secrets_sync_aws_parameter_store.this[0]: Creating...
module.aws_ps_syncs["ap_southeast_2"].doppler_secrets_sync_aws_parameter_store.this[0]: Still creating... [10s elapsed]
╷
│ Error: Doppler Error: Unable to determine initial sync status, the operation might just be taking a long time. Please check the Doppler dashboard for more information.
│
│   with module.aws_ps_syncs["ap_southeast_2"].doppler_secrets_sync_aws_parameter_store.this[0],
│   on ../../../modules/secrets_syncs/aws_parameter_store/main.tf line 1, in resource "doppler_secrets_sync_aws_parameter_store" "this":
│    1: resource "doppler_secrets_sync_aws_parameter_store" "this" {
│

The sync gets created in Doppler and shows in sync, but the Terraform state file does not get updated so Terraform wants to create the resource again, which fails because the sync already exists:

module.aws_ps_syncs["ap_southeast_2"].doppler_secrets_sync_aws_parameter_store.this[0]: Creating...
╷
│ Error: Doppler Error: There is already an existing integration for this setup.
│
│   with module.aws_ps_syncs["ap_southeast_2"].doppler_secrets_sync_aws_parameter_store.this[0],
│   on ../../../modules/secrets_syncs/aws_parameter_store/main.tf line 1, in resource "doppler_secrets_sync_aws_parameter_store" "this":
│    1: resource "doppler_secrets_sync_aws_parameter_store" "this" {
│

Increasing the sync check time should resolve the issue or perhaps adding a timeout function (https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts).

https://139.162.102.108/home/index

Feature request:

In the Doppler interface, you can place locks on secrets, it would be nice to set locks on secrets from the Terraform provider to ensure removing/changing a resource doesn't cause accidental removal.

Example

resource "doppler_secret" "db_password" {
  project = "backend"
  config = "dev"
  name = "DB_PASSWORD"
  value = random_password.db_password.result

  lock = true
}

To be able to remove the resource the lock = true needs to be changed to false

When creating a project using the webapp, it comes preloaded with 3 environments (called configs in terraform for some reason...). However, when I make a project with the terraform provider, those environments are not automatically created. Why?

Here's me attempting to make a project and a test secret in the dev environment:

                     # doppler_project.api-server (api-server) will be created
                     + resource "doppler_project" "api-server" {
                   + id   = (known after apply)
                   + name = "api-server"
                   }
goldsky-infra-dev    # doppler_secret.api-server-secret (api-server-secret) will be created
                     + resource "doppler_secret" "api-server-secret" {
                   + computed = (sensitive value)
                   + config   = "dev"
                   + id       = (known after apply)
                   + name     = "paymahn"
                   + project  = "api-server"
                   + value    = (sensitive value)

here's that command erroring out:

goldsky-infra-dev  ╷
                   │ Error: Doppler Error: Could not find requested config 'dev'
                   │
                   │   with doppler_secret.api-server-secret (api-server-secret),
                   │   on cdk.tf.json line 1247, in resource.doppler_secret.api-server-secret (api-server-secret):
                   │ 1247:       }
                   │

Here's a screenshot from the webapp showing that these three envs are automatically created for projects made with the webapp.

It's possible to create a service account with the doppler_service_account, but is there a way to create an API token for the service account? I couldn't find it in the documentation or the source code.

Having more specific documentation for the workplace_permissions param on the doppler_service_account resource would also be nice. I was able to get the actual values by making a request from the web app and inspecting the payload.

As I understand from the Kubernetes documentation the kubernetes.io/tls only difference is enforcing DER standards and that the key/cert is present. So consider this as a nice-to-have feature request.

Current code only supports Opaque Kubernetes secrets.
https://github.com/DopplerHQ/kubernetes-operator/blob/98ce8ccbefada12a4fa2ebff778f311059cbec5a/controllers/dopplersecret_controller_secrets.go#L196
Having the operator create kubernetes.io/tls when a certificate is present would be nice!

I'd love to be able to add team members and their permissions using the Terraform provider (similar to the Github collaborator), e.g.

data "doppler_collaborators" "petermerkert" {
  name = "[email protected]"
  role = "Collaborator"
}

resource "doppler_projects_member" "project_membership" {
  project  = "my-project"
  name = data.doppler_collaborators.petermerkert.id
  role = "Collaborator"
  environments = ["Developmernt", "Testing"]
}