Open mikeoleary opened 3 years ago
One thing I do when building my pipelines is to generate the sensitive files on the Jenkins server workspace. Pass the file as a parameter, then when the job is done destroy the workspace. And using JQ its so simple to add/modify the json files. This style lends itself to almost any resource that takes a json parameter file.
Most of the file resources will take a file like @myparams.json or as a flat json string.
jq '. += {"name": "value","VIP":"10.0.0.1”}’
To update/create json
Or pass in as compact string {"name":"value","VIP":"10.0.0.1"}
Bradley Corner bc80921@gmail.com
On Mar 2, 2021, at 3:58 PM, mikeoleary notifications@github.com wrote:
Environment
TMOS/Bigip Version: Terraform Version: 0.14.7 (latest at time of writing) Terraform bigip provider Version: 1.7.0 (latest of time of writing) Summary
My customer had a security concern: the resource "bigip_bigiq_as3" requires the argument "as3_json" to be a declaration that exists as a file on disk. My customer has some sensitive values to input into the AS3 declaration and does not want this to exist as a file on disk at any point in time.
The documentation https://registry.terraform.io/providers/F5Networks/bigip/latest/docs/resources/bigip_bigiq_as3#as3_json for our provider states that the argument requires a file:
as3_json - (Required) Path/Filename of Declarative AS3 JSON which is a json file used with builtin file function After typing this up and almost submitting an issue, the customer tried to just provide the data as the rendered content of his template_file, and his AS3 declaration via BIG-IQ was successful. This is great, as the file does not need to exist on disk. Additionally, his sensitive values are not output to the console as they were when they were in the file.
Our questions are:
Can you confirm that this method is still supported? He is not required to use a file on disk for his AS3 declaration, right? Can you update the documentation on the Terraform provider to explain this? This probably applies to the resource of type "bigip_as3" as well as "bigip_bigiq_as3", and probably "bigip_do" also. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/F5Networks/terraform-provider-bigip/issues/434, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZLEQA5JE3XGT6VWVTB4I3TBVGOTANCNFSM4YPXGHRQ.
Thanks @bcorner13 for the advice. They aren't using Jenkins but do have a pipeline tool so they'll read your advice and see that as an option for input.
After speaking with this customer, I think this issue is mostly about the documentation of the provider. It would probably help our customers if we documented that as an option, or at least provided an example that did not require a file on disk, so that they are not led down the path of creating local files for each AS3 and DO declaration. Especially since their sensitive values are not treated as sensitive after they are written to the local_file.
Environment
Summary
My customer had a security concern: the resource "bigip_bigiq_as3" requires the argument "as3_json" to be a declaration that exists as a file on disk. My customer has some sensitive values to input into the AS3 declaration and does not want this to exist as a file on disk at any point in time.
The documentation for our provider states that the argument requires a file:
After typing this up and almost submitting an issue, the customer tried to just provide the data as the rendered content of his template_file, and his AS3 declaration via BIG-IQ was successful. This is great, as the file does not need to exist on disk. Additionally, his sensitive values are not output to the console as they were when they were in the file.
Our questions are: