search

netascode / terraform-aci-nac-aci

Terraform Cisco ACI Nexus-as-Code Module
https://registry.terraform.io/modules/netascode/nac-aci/aci
Apache License 2.0
17 stars 14 forks source link

Question: Sensitive content protection in the different yaml files #80

Open alexanderdeca opened 1 month ago

alexanderdeca commented 1 month ago

Question: How to protect sensitive content ex. passwords in different yaml files?

danischm commented 1 month ago

You can make use of !env YAML tags to inject those at runtime. See: https://registry.terraform.io/providers/netascode/utils/latest/docs/data-sources/yaml_merge

alexanderdeca commented 1 month ago

Hey Daniel,

Thanks for the info, do you have an example for me using for example as it is not clear what to do based on the link you provided.

aaa:
  login_domains:
  - name: tacacs-auth
    realm: tacacs
    description: TACACS+ Authentication
  - name: local
    realm: local
    description: Local Authentication
  tacacs_providers:
  - hostname_ip: 10.253.241.4
    description: TACACS+
    port: 49
    key: 'Staging2023'
    timeout: 5
    retries: 1
    mgmt_epg: oob
  remote_user_login_policy: no-login
  default_fallback_check: true
  default_login_domain: lodhacs
  default_realm: tacacs
  console_realm: local
  console_login_domain: local

where I would replace the KEY value.

Best regards

Alexander

From: Daniel Schmidt @.> Date: Friday, 3 May 2024 at 09:19 To: netascode/terraform-aci-nac-aci @.> Cc: Alexander Deca @.>, Author @.> Subject: Re: [netascode/terraform-aci-nac-aci] Question: Sensitive content protection in the different yaml files (Issue #80)

You can make use of !env YAML tags to inject those at runtime. See: https://registry.terraform.io/providers/netascode/utils/latest/docs/data-sources/yaml_merge

— Reply to this email directly, view it on GitHubhttps://github.com/netascode/terraform-aci-nac-aci/issues/80#issuecomment-2092447375, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEAJEUPPPWGNKRVC23NTYT3ZAM27ZAVCNFSM6AAAAABHD5NVQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJSGQ2DOMZXGU. You are receiving this because you authored the thread.Message ID: @.***>

danischm commented 1 month ago

You would have something like this:

    aaa:
      tacacs_providers:
      - hostname_ip: 10.253.241.4
        description: TACACS+
        port: 49
        key: !env TACACS_KEY
        timeout: 5
        retries: 1
        mgmt_epg: oob

And then an environment variable defined like this:

$export TACACS_KEY=Staging2023
alexanderdeca commented 1 month ago

Thanks, seems the syntax doesn’t like it as visual studio code throws an error on the !env TACACS_KEY.

From: Daniel Schmidt @.> Date: Friday, 3 May 2024 at 12:52 To: netascode/terraform-aci-nac-aci @.> Cc: Alexander Deca @.>, Author @.> Subject: Re: [netascode/terraform-aci-nac-aci] Question: Sensitive content protection in the different yaml files (Issue #80)

You would have something like this:

aaa:

  tacacs_providers:

  - hostname_ip: 10.253.241.4

    description: TACACS+

    port: 49

    key: !env TACACS_KEY

    timeout: 5

    retries: 1

    mgmt_epg: oob

And then an environment variable defined like this:

$export TACACS_KEY=Staging2023

— Reply to this email directly, view it on GitHubhttps://github.com/netascode/terraform-aci-nac-aci/issues/80#issuecomment-2092763717, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEAJEULENQ57OPERIETTSPTZANT5VAVCNFSM6AAAAABHD5NVQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJSG43DGNZRG4. You are receiving this because you authored the thread.Message ID: @.***>

danischm commented 1 month ago

Yeah, the JSON schema is not aware of those tags.

alexanderdeca commented 1 month ago

Alright thanks for the help, trying it now.

Cheers!

From: Daniel Schmidt @.> Date: Friday, 3 May 2024 at 13:09 To: netascode/terraform-aci-nac-aci @.> Cc: Alexander Deca @.>, Author @.> Subject: Re: [netascode/terraform-aci-nac-aci] Question: Sensitive content protection in the different yaml files (Issue #80)

Yeah, the JSON schema is not aware of those tags.

— Reply to this email directly, view it on GitHubhttps://github.com/netascode/terraform-aci-nac-aci/issues/80#issuecomment-2092791719, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEAJEUONGSK7XO7CXKJF5HTZANV7FAVCNFSM6AAAAABHD5NVQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJSG44TCNZRHE. You are receiving this because you authored the thread.Message ID: @.***>

danischm commented 1 month ago

Does this answer you question?