terraform-provider-doppler icon indicating copy to clipboard operation
terraform-provider-doppler copied to clipboard

Published 20 hours ago verified publisher icon DopplerHQ

Feature: Lock on secrets

Open a-nldisr opened this issue 2 years ago • 4 comments

Feature request:

In the Doppler interface, you can place locks on secrets, it would be nice to set locks on secrets from the Terraform provider to ensure removing/changing a resource doesn't cause accidental removal.

Example

resource "doppler_secret" "db_password" {
  project = "backend"
  config = "dev"
  name = "DB_PASSWORD"
  value = random_password.db_password.result

  lock = true
}

To be able to remove the resource the lock = true needs to be changed to false

a-nldisr avatar Sep 08 '22 11:09 a-nldisr

Update: Locks are not present on secrets directly, they need to be done on branch configs.

a-nldisr avatar Apr 06 '23 09:04 a-nldisr

Hey @a-nldisr! Thanks for writing in about this. We've gotten feedback from other users that it would be handy to mark certain secrets as "Terraform managed" so that they can't be modified outside of Terraform. Is this what you're aiming to do?

...it would be nice to set locks on secrets from the Terraform provider to ensure removing/changing a resource doesn't cause accidental removal.

Can you expand on this a bit? I'm not sure if there's a way we could design the provider such that removing or changing a resource doesn't remove the corresponding object in Doppler. Even using locks at the config level, you would still be able to remove the config by unlocking it first.

nmanoogian avatar Apr 06 '23 12:04 nmanoogian

Hi @nmanoogian! Comments would be greatly appreciated, but would like to use the lock: image

In general when you use this feature in cloud resources, you need to first remove the lock and afterward you can update or delete the secret. We have a few secrets we want to place only in Doppler and nowhere else, and it would be costly if these would be lost due to a terraform mistake. A workflow would look like: Remove lock from code > run terraform > adjust config > run terraform > config deleted Current workflow is: adjust config > run terraform > config deleted

Lock would give some safety mechanisms on configs which are important.

a-nldisr avatar Apr 06 '23 12:04 a-nldisr

Ah, I see! Thank you for walking me through that. The strategy of needing to update the resource twice to perform a deletion makes sense. I'll pass this along to our product team!

nmanoogian avatar Apr 06 '23 12:04 nmanoogian