Encrypt fields in tfstate if fieldname prefixed with a hash '#' ?

[birchb1024]

I wonder what best practice is in HCL for not exposing passwords. Do you have any hints about that? Maybe some kind of secure data source?

Terraform has very little to offer in terms of crypto. I was thinking that maybe I should add encryption to the multiverse provider so that secret fields are automatically encrypted before being put into the tfstate. Maybe mark the 'secure' fields with another prefix. e.g. '#'

resource 'multiverse_foobar' 'x' {
   config = jsonencode({
            "someNormalFieldLikeUsername" : "birchb1024"
            "#encryptedFieldLikePassword" : "redactedredacted"
  })

The encryption key would be in an environment variable or similar. The Go code in the provider would actually perform encryption/decryption.

Do you have any views?

[tuckner]

Utilize this perhaps?

https://www.terraform.io/docs/state/sensitive-data.html

Pass the password in as a variable and set the field as sensitive data for state elsewhere? Otherwise, I would utilize environment variables the whole way through if not something like Hashicorp Vault.

[cmclaughlin]

I'm experimenting with using this Universe plugin with CDK for Terraform

I don't think the suggestion to pass in the data as a Terraform variable with the sensitive flag will work because the config has to be json encoded in HCL or CDKTF. Maybe I'm wrong though?

Here's what I get in CDKTF:

TypeError: Object of type TerraformVariable is not JSON serializable

I also don't think environment variables will work in CDKTF, at least not how I would hope. If I set the env vars in my Python stack, that won't be exported to Terraform since Terraform doesn't run as a subprocess.