jrddunbr
commented
4 months ago Sorry if I should make a separate issue but it seems related enough -
To provide a concrete use case to this, my employer stores encrypted resources related to PCI cardholder information in an Azure Key Vault.
We refuse to allow Terraform (or our automation around it) to be able to read these encryption keys, and would like an option to allow it to not try to read the value into Terraform state or even make the API call that requests the secret values. But, there is still value in the key vault's properties being able to be referenced in the Terraform code.
Is there an existing issue for this?
Community Note
Description
Currently when using the azurerm provider to create an Azure Key Vault Secret, the secret value is stored in the raw state as plain-text.
This is well documented in the provider documentation, but the problem is that it makes secret resource creation less ideal via terraform.
Ideally the secret resource creation and the secret value should be decoupled, so that secrets can be created by terraform, without storing their value in state, and then the value can be managed through other means.
This allows existing workflows to continue working as they did until now, but it would enable a better way to create and manage secrets.
For reference, this is similar to the way that the AWS provider currently works. This provider is really popular and it's safe to assume that folks using both providers, or transitioning from one to the other would expect secret management to work in a similar capacity.
New or Affected Resource(s)/Data Source(s)
azurerm_key_vault_secret
Potential Terraform Configuration
No response
References
No response