Parameters in metadata exposes secrets

[ugirirajan]

As the GCP instance reads the metadata on the fly for parameters, the credentials and keys are exposed in console if we use this registry.

[onetwopunch]

+1 to this. Could this module not allow users to pull the secrets from a GCS bucket with a client side KMS key which only the primary/secondary service account has access to? Or give the option to point to a Vault instance which would pull this data at boot time. It seems this issue also exists on the AWS installation module, where secrets are stored in User Data: https://github.com/hashicorp/terraform-aws-terraform-enterprise/blob/87a10c9893e71261404fe70a80ee4e4cd8f22fca/config.tf#L22