SCTL is not End2End encryption, instead SCTL is more of an envelope, in which you store secrets until they are needed, and those secrets should only remain available in plain text while the operation that needs them is active.
GNU General Public License v3.0
8
stars
2
forks
source link
[terraform] - New feature, generate a terraform.tfvars file #7
Terraform wasn't inheriting from env correctly in my tests. Adding a
terraform.tfvars generator exposes the secrets on disk in plain text
for the window of terraforms operation. This ranges from seconds to an
hour.
terraform configuration of a provider does not typically like or respect variables in its configuration block. I've done this in a few places but it is an abuse of naunces in terraform.
$ terraform plan
var.ADMIN_PASSWORD
Enter a value: ^C
Interrupt received.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...
Error: Failed to request interactive input
Terraform attempted to request a value for var.ADMIN_PASSWORD interactively,
but encountered an error: interrupted.
$ sctl list
ADMIN_PASSWORD
$ sctl terraform
$ cat terraform.tfvars
ADMIN_PASSWORD="ABC_123"
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
kubernetes_cluster_role_binding.tiller: Refreshing state... [id=tiller]
kubernetes_service_account.tiller: Refreshing state... [id=kube-system/tiller]
kubernetes_cluster_role_binding.vapor-admin: Refreshing state... [id=cluster-admin-binding]
------------------------------------------------------------------------
No changes. Infrastructure is up-to-date.
This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.
One thing to note regarding the usage of this method is that if there's a complex data structure, like a map, i don't beleive sctl will preserve that. Its not often that you encounter map data, typically its just strings for values, and complex data-structures are computed at run time, but I digress, this is probably important to note that it's untested.
I'll leave all this here as is, and if this gets approved i'll cult it into the readme just ahead of the merge.
lazypower
commented
5 years ago
Terraform wasn't inheriting from env correctly in my tests. Adding a terraform.tfvars generator exposes the secrets on disk in plain text for the window of terraforms operation. This ranges from seconds to an hour.
THis will bypass the env inheritance per: https://www.terraform.io/docs/configuration/variables.html#variable-definition-precedence
Usage example:
terraform configuration of a provider does not typically like or respect variables in its configuration block. I've done this in a few places but it is an abuse of naunces in terraform.
One thing to note regarding the usage of this method is that if there's a complex data structure, like a map, i don't beleive sctl will preserve that. Its not often that you encounter map data, typically its just strings for values, and complex data-structures are computed at run time, but I digress, this is probably important to note that it's untested.
I'll leave all this here as is, and if this gets approved i'll cult it into the readme just ahead of the merge.