search

betr-io / terraform-provider-mssql

Terraform provider for Microsoft SQL Server
https://registry.terraform.io/providers/betr-io/mssql/latest
MIT License
36 stars 28 forks source link

Avoid storing credentials in state #92

Open davidkarlsen opened 2 months ago

davidkarlsen commented 2 months ago

We use a service-principal to authenticate (i.e. setting client_id/client_secret/tenant_id). The secret will rotate from time to time, but the current correct value is set for each terraform execution. However, during a plan the provider seems to use the stored values from the statefile to refresh - and hence this will fail. I think the credentials shouldn't be stored in state, but always read as input config.

The only way to get past this stuck state is to taint the resources, so they are not refreshed, but deleted and re-created.

davidkarlsen commented 2 months ago

related issue: https://github.com/betr-io/terraform-provider-mssql/issues/25

davidkarlsen commented 2 months ago

For folks coming to this, it seems one can avoid it if you rely on DefaultCredentials instead using this: https://registry.terraform.io/providers/betr-io/mssql/latest/docs/resources/user#azuread_default_chain_auth option