Closed fabio42 closed 4 years ago
So, the idea would be to initialize the secret and then rotate outside Terraform, thus, avoiding other users to change the secret using Terraform?
Yes exactly. The secret resource would be created by someone that don't have necessarily access to the real secret, through this resource. Secret management itself would be handled outside of TF.
@fabio42. I merged and published your changes in release 0.3.0.
Thanks for contributing!
First thank you for this module, it is quite great!
I have use cases, where I need to prepare some AWS secrets, but I can't have them set randomly or stored inside a shared file.
So I'm looking for a way to be able to enable
lifecycle
when I have such use case. Unfortunatelydynamic
does not supportlifecycle
so this is the solution I ended with.In case of shared states, this would allow the secret to be initalized, eventually with real secret values through
terraform.tfvars
, by a first user, but would not prevent another user that don't have access to the secrets to use the state.