search

siderolabs / terraform-provider-talos

Mozilla Public License 2.0
137 stars 17 forks source link

Mark inlineManifests as sensitive #188

Closed rmvangun closed 3 months ago

rmvangun commented 3 months ago

This may not be limited to inlineManifests and apply more broadly to machine configuration.

There are times when sensitive data needs to be passed to machine configuration. In my case, I'm attempting to install Cilium via the inlineManifests option in the machine config. The cilium helm chart generates secrets containing private certs and keys, which are exposed in my terraform plan.

It's pretty useful to see these manifests in the plan, but I wonder if it's possible to obfuscate some aspects of the machine configuration in the provider?

Other approaches to installing Cilium aren't ideal in my situation, as getting the Terraform fully automated requires ensuring that the cluster is fully healthy very early on, which means installing Cilium right away via inline manifests.

rmvangun commented 3 months ago

nvm, this can be done by passing the value in to Terraform's sensitive function, like so:

locals {
  cilium_manifest = data.helm_template.cilium.manifest
  formatted_cilium_manifest = yamlencode({
    cluster = {
      inlineManifests = [
        {
          name     = "cilium"
          contents = sensitive(local.cilium_manifest)
        }
      ]
    }
  })
}