search

grafana / terraform-provider-grafana

Terraform Grafana provider
https://www.terraform.io/docs/providers/grafana/
Mozilla Public License 2.0
425 stars 225 forks source link

[Feature Request]: Avoid storing sensitive information in Terraform state for Data Source #1811

Closed ferraroluc closed 1 week ago

ferraroluc commented 1 week ago

Feature Request

When creating a resource grafana_data_source and using the parameter secure_json_data_encoded to set, for example, a database password, that value is stored in plain text in the Terraform state. In that case, the best practice would seem to be to insert the password manually after the resource has been created with the tool. If the password would not be stored in state, it could be set from Terraform code without risk.

resource "grafana_organization" "org" {
  name = "Company"
}

resource "grafana_folder" "databases" {
  title  = "Databases"
  org_id = grafana_organization.org.org_id
}

resource "grafana_dashboard" "databases" {
  folder = grafana_folder.databases.uid
  org_id = grafana_organization.org.org_id
  config_json = jsonencode({
    "title" : "Databases",
  })
}

resource "grafana_data_source" "mssql" {
  type          = "mssql"
  name          = "mssql"
  org_id        = grafana_organization.org.org_id
  url           = "10.10.10.10:1433"
  database_name = "master"
  username      = "sa"

  secure_json_data_encoded = jsonencode({
    password = "password"
  })
}
Duologic commented 1 week ago

This is due to the nature of Terraform, please read this: https://developer.hashicorp.com/terraform/language/state/sensitive-data