Open gberche-orange opened 6 years ago
Fingerprint is here to detect a change instead of using value generated, for yes security reasons.
There is actually no terraform backend with encryption except https://github.com/orange-cloudfoundry/terraform-secure-backend .
My feelings about this one was that:
I'm totally opened to reconsidered this, this part was not explained and this can be put in the balance.
Vault has only generic resource for creating credentials on its provider. Comparing this provider with vault provider on generic is more accurate, and they both work the same on this one.
Fingerprint is here to detect a change instead of using value generated, for yes security reasons.
The credhub api get-by-name can return all historical data for a given path, each version being identified by their id and date.
Could the provider simply load the history for a given path to determine whether a rotation is required or not ?
The terraform-provider-credhub provider attempts to reduce the amount of sensitive data written in tf state, i.e. some resources creation instead store credentials signatures, see Readme
I wonder whether this added complexity is worth the effort given that:
Terraform recommends that TF state be safely stored in remote backend that can support encryptions
documented in https://www.terraform.io/docs/state/sensitive-data.html E;G. this translates to https://github.com/orange-cloudfoundry/paas-templates/issues/62