It seems there’s a lot of information out there on how to retrieve and view sensitive data in terraform, but not a lot on how to prevent viewing of it via the nonsensitive function.
For example, suppose I have a secret stored in Azure Key Vault and I want my config to grab it and use it somewhere:
data "azurerm_key_vault_secret" "my_ultra_secret" {
name = "my_ultra_secret"
key_vault_id = data.azurerm_key_vault.mykeyvault.id
}
(I’m using remote state stored in HCP Terraform, aka Terraform Cloud, with a service principal for Terraform to talk to Azure and manipulate resources.)
If a developer is able to get this code and go into terraform console, they can do this:
nonsensitive(data.azurerm_key_vault_secret.my_ultra_secret)
Thus exposing the secret in plain text. I don’t want the developer seeing the secrets, but obviously terraform cloud needs to, so the idea of restricting my service principal’s permissions doesn’t seem to fit the bill.
Any idea how I do this? (I’ve looked at dynamic provider credentialing, but this doesn’t seem to restrict permissions based on user, as far as I can tell.
You need to sign in to view this answers
