The secret provider has one mission: store secrets in the Terraform state.

Please be careful about your security stance before adopting this!

The main goal of this provider is that a lot of time, terraform contains secrets in it's state file anyways. Instead of putting them in the repo and the loading them with "${file("./secret")}" why not import them directly into the state file?

When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.

This is a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.

• Terraform 0.12.x
• Go 1.11 (to build the provider plugin)

1. Follow these instructions to setup a Golang development environment.
2. Use go get to pull down this repository and compile the binary:

go get -u -v github.com/tweag/terraform-provider-secret

The binary will be placed in $GOPATH/bin or $HOME/go/bin if $GOPATH is not set.

If you are lucky enough to use Nix, it's already part of the full terraform distribution:

nix-env -iA nixpkgs.terraform-full

Clone the repository:

$ git clone [email protected]:tweag/terraform-provider-secret

Enter the provider directory and build the provider

$ cd terraform-provider-secret
$ GO111MODULE=on go build

• Copy the terraform-provider-secret binary to ~/.terraform.d/plugins (recommended) or any location specified by Terraform documentation.

• Add the line provider "secret" {} line to main.tf To prevent warnings, you may optionally add a version lock to the provider entry in the form of provider "secret" { version = "~> X.Y"} where X.Y is the version you wish to pin. Note that when the binary is built no version suffix is specified; you will need to manually add _vX.Y to the provider binary unless you directly use release from Github.

• Run terraform init.

Schema:

• value, string: Returns the value of the secret

Here we declare a new resource that will contain the secret.

resource "secret_resource" "datadog_api_key" {
  lifecycle {
    # avoid accidentally loosing the secret
    prevent_destroy = true
  }
}

To populate the secret, run

terraform import secret_resource.datadog_api_key TOKEN

where TOKEN is the value of the token.

Or to import from a file:

terraform import secret_resource.datadog_api_key "$(< ./datadog-api-key)"

Once imported, the secret can be accessed using secret_resource.datadog_api_key.value

terraform state rm secret_resource.datadog_api_key
terraform import secret_resource.datadog_api_key NEW_TOKEN

The secret values can only contain UTF-8 encoded strings. If the secret is a binary key, a workaround it to encode it first as base64, then use the terraform base64decode() function on usage.

Eg:

terraform import secret_resource.my_binary_key "$(base64 ./binary-key)"

Then on usage:

resource "other_resource" "xxx" {
  secret = base64decode(secret_resource.my_binary_key.value)
}

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make bin
...
$ $GOPATH/bin/terraform-provider-secret
...

In order to test the provider, you can simply run make test.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

$ make testacc

• https://github.com/carlpett/terraform-provider-sops - allows to decode in-repo secrets on the fly.

This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.

This work has been sponsored by Digital Asset and Tweag I/O.

This repository is maintained by Tweag I/O

Have questions? Need help? Tweet at @tweagio.