search

DopplerHQ / terraform-provider-doppler

Apache License 2.0
23 stars 9 forks source link

Secret Referencing #44

Open fermentfan opened 1 year ago

fermentfan commented 1 year ago

Our current stack relies heavily on referencing secrets. I thought it was possible to create them via the terraform provider, because I saw the following sentence in the docs:

computed (String, Sensitive) The computed secret value, after resolving secret references (https://registry.terraform.io/providers/DopplerHQ/doppler/latest/docs/resources/secret)

But I couldn't find any way to do this. I guess this is not yet supported?

nmanoogian commented 1 year ago

Hi @DennisVonDerBey,

Thanks for reaching out! You should be able to set secrets with references using the value field. For example,

resource "random_password" "db_password" {
  length  = 32
  special = true
}

resource "doppler_secret" "db_password" {
  project = "backend"
  config  = "dev"
  name    = "DB_PASSWORD"
  value   = random_password.db_password.result
}

resource "doppler_secret" "db_url" {
  project = "backend"
  config  = "dev"
  name    = "DB_URL"
  value   = "app-user:$${${doppler_secret.db_password.name}}@localhost"
  # The secret will be saved to Doppler as `app-user:${DB_PASSWORD}@localhost`.

  # This could also be written with the name literal `DB_PASSWORD`.
  # The value would be the same but we'd have to explicitly list the dependent secret.

  # value = "app-user:$${DB_PASSWORD}@localhost"
  # depends_on = [
  #   doppler_secret.db_password
  # ]
}

output "computed" {
  # Demonstration purposes only; sensitive values should never be printed.
  value = nonsensitive(doppler_secret.db_url.computed)
  # This will print the secret value with the references "rendered", for example: `app-user:PhA8mPwx4VFvSzhhtBfy8@localhost`
}

As you've likely seen, Doppler uses the "dollar curly" syntax for references (e.g. ${REFERENCE}). HCL uses the same syntax so we have to escape the first dollar curly so it makes it into Doppler in the appropriate format (app-user:$${${doppler_secret.db_password.name}}@localhost).

Does this answer your question? Let me know if there's anything I can clarify.

fermentfan commented 1 year ago

Thank you for the help! I was totally not thinking it would be so simple 😅 I now tried it out for the first time and I have one suggestion:

In your example you're using a reference to a secret in the same project config. We most often reference secrets in other projects and thus need to reference the full path, which is kind of cumbersome. I'd love if the secrets themselves exposed a kind of FQDN with the full address including project and config.

nmanoogian commented 1 year ago

That's an interesting idea and a very good point. To reference a fully qualified secret in another project, you'd end up needing to do:

value   = "app-user:$${${doppler_secret.db_password.project}.${doppler_secret.db_password.config}.${doppler_secret.db_password.name}}@localhost"

Cumbersome to say the least!