azuresecurityterraformazure-keyvaultterraform-provider-azure

How to prevent terraform developers from viewing secrets with the nonsensitive function


It seems there's a lot of information out there on how to retrieve and view sensitive data in terraform, but not a lot on how to prevent viewing of it via the nonsensitive function.

For example, suppose I have a secret stored in Azure Key Vault and I want my config to grab it and use it somewhere:

data "azurerm_key_vault_secret" "my_ultra_secret" {
    name         = "my_ultra_secret"
    key_vault_id = data.azurerm_key_vault.mykeyvault.id
}

(I'm using remote state stored in HCP Terraform, aka Terraform Cloud, with a service principal for Terraform to talk to Azure and manipulate resources.)

If a developer is able to get this code and go into terraform console, they can do this:

nonsensitive(data.azurerm_key_vault_secret.my_ultra_secret)

Thus exposing the secret in plain text. I don't want the developer seeing the secrets, but obviously terraform cloud needs to, so the idea of restricting my service principal's permissions doesn't seem to fit the bill.

Any idea how I do this? (I've looked at dynamic provider credentialing, but this doesn't seem to restrict permissions based on user, as far as I can tell.


Solution

  • After experimenting with various options, I think I have a fairly good solution. The documentation for HCP Cloud on these options is here, but I will translate into my own words in case that helps anyone.

    TL;DR: HCP cloud provides granular RBAC to control the things I talked about in the OP.

    This answer doesn't address any general security best practices when it comes to Terraform secrets, as you can find those all over the place.

    Hope this helps!