A quick example of how to handle Terraform secret in your repository by using Ansible Vault encryption feature.
Here is the use case:
- You already use Ansible and its vault feature to manager your secrets in some git repository, or to encrypt sensitive information
- You also use Terraform as your Infrastructure as code tool, and you start having secret to manage.
- You don't have any system for secret management (i.e. something like vault)
Since you share your terraform code accross your team, you also have to share the secret. Therefore you either:
- Store your secrets somewhere else (never in clear text in your git repository!!), and you have to manually enter the secret when execution terraform. No need to say this is not the best for automation.
- Store your secrets nevertheless in clear text in your git repository (what did I say about that!?).
- Use an external tools to encrypt your secrets, in this case we will be using Ansible Vault
Requirements:
- ansible
- jq
- terraform
To run this example, launch:
cd terraform-example
export ANSIBLE_VAULT_PASSWORD_FILE=$(pwd)/../.ansible_vault_file
terraform init
terraform applyThe terraform apply command should output the following:
$> terraform apply
data.external.mysecret: Refreshing state...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
mysecret = i_am_batmanThis example has three main components:
- The bash script we use to extract the vaulted secret, located in the folder
_tools - The file containing the secret, located in the folder
_secrets - The terraform data block to call the script and set it in a terraform resource:
data "external" "mysecret" {
# Call the script to run the `ansible -m debug` command
program = ["bash", "../_tools/get_ansible_secret.sh"]
query = {
# Set the output in this key
var = "mysecret"
# The file containing the secret we want to decrypt
file = "../_secrets/secrets.yml"
}
}You can use the value as any other terraform resource with:
${data.external.mysecret.result.mysecret}TODO: explain the whole thing.