It seems there's a lot of information out there on how to retrieve and view sensitive data in terraform, but not a lot on how to prevent viewing of it via the nonsensitive function.
For example, suppose I have a secret stored in Azure Key Vault and I want my config to grab it and use it somewhere:
data "azurerm_key_vault_secret" "my_ultra_secret" {
name = "my_ultra_secret"
key_vault_id = data.azurerm_key_vault.mykeyvault.id
}
(I'm using remote state stored in HCP Terraform, aka Terraform Cloud, with a service principal for Terraform to talk to Azure and manipulate resources.)
If a developer is able to get this code and go into terraform console, they can do this:
nonsensitive(data.azurerm_key_vault_secret.my_ultra_secret)
Thus exposing the secret in plain text. I don't want the developer seeing the secrets, but obviously terraform cloud needs to, so the idea of restricting my service principal's permissions doesn't seem to fit the bill.
Any idea how I do this? (I've looked at dynamic provider credentialing, but this doesn't seem to restrict permissions based on user, as far as I can tell.
After experimenting with various options, I think I have a fairly good solution. The documentation for HCP Cloud on these options is here, but I will translate into my own words in case that helps anyone.
TL;DR: HCP cloud provides granular RBAC to control the things I talked about in the OP.
terraform login
, and that's what you'll use to set these RBAC settings. The latter is controlled with az login
, but again, out of scope for this answer.terraform output
(more on that below).
nonsensitive
function will simply show (known after apply)
. If you allow full read access, then they will be able to see your secrets.terraform output myvar
. If you set state to "no access," then the previous command will show No outputs found.
This answer doesn't address any general security best practices when it comes to Terraform secrets, as you can find those all over the place.
Hope this helps!