infisical / terraform-provider-infisical Goto Github PK

7.0 2.0 3.0 380 KB

The offical Infisical Terraform provider

License: Mozilla Public License 2.0

HCL 1.04% Makefile 0.15% Go 98.82%

terraform-provider-infisical's Introduction

Infisical Terraform Provider

Usage

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }
  }
}

provider "infisical" {
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  client_id     = "<>"
  client_secret = "<>"
}

data "infisical_secrets" "common-secrets" {
  env_slug     = "dev"
  workspace_id = "PROJECT_ID"
  folder_path  = "/some-folder/another-folder"
}

data "infisical_secrets" "backend-secrets" {
  env_slug     = "prod"
  workspace_id = "PROJECT_ID"
  folder_path  = "/"
}

output "all-project-secrets" {
  value = data.infisical_secrets.backend-secrets
}

output "single-secret" {
  value = data.infisical_secrets.backend-secrets.secrets["SECRET-NAME"]
}

Development

Tutorials for creating Terraform providers can be found on the HashiCorp Learn platform. Terraform Plugin Framework specific guides are titled accordingly.

Requirements

Terraform >= 1.0
Go >= 1.19

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (see Requirements above).

To compile the provider, run go install. This will build the provider and put the provider binary in the $GOPATH/bin directory.

To generate or update documentation, run go generate.

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

make testacc

terraform-provider-infisical's People

Contributors

Stargazers

Watchers

Forkers

pierre-green rumenvasilev jithenms

terraform-provider-infisical's Issues

Secret UPDATE not working

Execute following terraform code

terraform apply --var INFISCAL_TOKEN=$(infisical service-token create --scope='dev:/SETUPTOOLS/**' --access-level=read --access-level=write -e 100 --token-only)

Following configuaration

provider "infisical" {
  alias         = "infiscal"
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  service_token = var.INFISCAL_TOKEN
}

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }

    htpasswd = {
      source = "loafoe/htpasswd"
    }
}

resource "random_password" "password" {
  length = 30
}

resource "random_password" "salt" {
  length = 8
}

resource "htpasswd_password" "hash" {
  password = random_password.password.result
  salt     = random_password.salt.result
}


resource "infisical_secret" "twine_username" {
  provider    = infisical.infiscal
  name        = "TWINE_USERNAME"
  value       = "opti-pypi"
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}


resource "infisical_secret" "twine_password" {
  provider = infisical.infiscal

  name = "TWINE_PASSWORD"

  value       = random_password.password.result
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}



resource "infisical_secret" "twine_htpasswd" {
  provider = infisical.infiscal

  name  = ".htpasswd"
  value = "${infisical_secret.twine_username.value}:${htpasswd_password.hash.apr1}"

  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}

It works on 1st run without issues.
Now change value = "opti-pypi" to something like value = "opti"

Reapply with same command, and Im getting following errors:

infisical_secret.twine_username: Modifying... [name=TWINE_USERNAME]
╷
│ Error: Error updating secret
│ 
│   with infisical_secret.twine_username,
│   on 30-infisical-pwd.tf line 15, in resource "infisical_secret" "twine_username":
│   15: resource "infisical_secret" "twine_username" {
│ 
│ Couldn't save encrypted secrets to Infiscial, unexpected error: CallUpdateSecretsV3: Unsuccessful response. Please make sure your secret path, workspace and
│ environment name are all correct [response={"type":"bad_request","message":"Missing encrypted
│ key","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-21T14:45:54.890Z","application":"unknown","extra":[]}]
╵
failed to wait for command termination: exit status 1

Secret Referencing not working?

I've been trying to get secret referencing working using the Terraform provider.

I have a Service Token with the scopes set to /** which should be able to access all the secrets.

Next, I have two folders, A and B.
In the folder A I have a secret named FOO with a value of secret.
I reference this secret in folder B like ${dev.A.FOO}.

However, in terraform the output of the secret is not interpolated.

data "infisical_secrets" "test" {
  env_slug    = "dev"
  folder_path = "/B"  
}

output "foo" {
  value = data.infisical_secrets.test.secrets
}

Outputs:

foo = tomap({
  "ANOTHER_FOO" = {
    "comment" = ""
    "secret_type" = "shared"
    "value" = "${dev.A.FOO}"
  }
})

Using the CLI I can verify that it works:

infisical run --env=dev --path=/B -- env | grep foo
ANOTHER_FOO=secret

I simplified the example a bit, in my case folder B would be nested an additional level, but the secret referencing should work no matter the level of nesting 🤔

In the docs, it is stated that secret referencing is working in all the native integrations. Is the terraform provider a native integration?

Add infisical_secret_imports resource

Feature Description

Currently, only infisical_secrets resource exists. The goal of this feature would be to implement an infisical_secret_imports resource.

Why would it be useful?

To create a complete secrets' architecture from terraform.

Feature Description

Currently, only infisical_secrets resource exists. If you try to create a secret in a folder that doesn't exist, an error will be thrown. The goal of this feature would be to implement an infisical_folder resource.

Why would it be useful?

To create a complete secrets' architecture from terraform

`terraform apply` fails when secret was created in previous run

Steps to reproduce

Define secret
Apply changes (everything is fine to this point)
Apply changes again (ex. in case where database creds are changed) and things will not be fine as infisical cannot update secrets.

resource "infisical_secret" "DATABASE_URI" {
  name        = "DATABASE_URI"
  value       = "postgres://${neon_role.db_owner.name}:${neon_role.db_owner.password}@${neon_project.default.branch.endpoint.host}:5432"
  env_slug    = "dev"
  folder_path = "/"
  depends_on = [
    neon_project.default,
    neon_role.db_owner,
  ]
}

Expected behavior

Update secrets instead strictly not-null checking

Error

 Error: Error creating secret
│ 
│   with infisical_secret.DATABASE_URI,
│   on main.tf line 86, in resource "infisical_secret" "DATABASE_URI":
│   86: resource "infisical_secret" "DATABASE_URI" {
│ 
│ Couldn't save encrypted secrets to Infiscial, unexpected error:
│ CallCreateSecretsV3: Unsuccessful response. Please make sure your secret
│ path, workspace and environment name are all correct
│ [response={"type":"bad_request","message":"Failed to create secret that
│ already
│ exists","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-27T16:44:30.084Z","application":"unknown","extra":[]}]
╵
Operation failed: failed running terraform apply (exit 1)

Related: #31

infisical / terraform-provider-infisical Goto Github PK

terraform-provider-infisical's Introduction

Infisical Terraform Provider

Usage

Development

Requirements

Developing the Provider

terraform-provider-infisical's People

Contributors

Stargazers

Watchers

Forkers

terraform-provider-infisical's Issues

Feature Description

Why would it be useful?

Feature Description

Why would it be useful?

Steps to reproduce

Expected behavior

Error

Recommend Projects

Recommend Topics

Recommend Org