terraform-provider-oci
terraform-provider-oci copied to clipboard
No way to read vault secret data
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
There is no way to read vault secret data from vault service all the resources and data sources provide only way to retrieve usefulness metadata. Currently I have to use some python hook:
def _get_secret_data(oci_config, secret):
secret_bundle_client = _get_secret_bundle_client(oci_config)
secret_bundle_response = secret_bundle_client.get_secret_bundle(secret_id=secret.id)
if secret_bundle_response.status == 200:
return b64decode(secret_bundle_response.data.secret_bundle_content.content).decode()
else:
raise ValueError("Something went wrong during secret data get")
New or Affected Resource(s)
oci_vault_secret_bundle oci_vault_secret
Potential Terraform Configuration
data "oci_vault_secret_bundle" "test_secret_bundle" {
#Required
secret_id = oci_vault_secret.test_secret.id
}
// data.oci_vault_secret_bundle.test_secret_bundle.data == "c29tZV9zdXBlcl9zZWNyZXQ="
References
https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/vault_secret
Hi @ITD27M01 -- Fetching secret
data in terraform has been intentionally omitted. This is due to the fact that its a security concern. Implementing secrets in terraform results in secret content getting stored in terraform state file.
Hi @varmax2511
Due to the lack of such functionality, are there any suggestions to deal with sensitive params in terraform configuration?
For example, oci_load_balancer_certificate
and oci_core_ipsec_connection_tunnel_management
have such params as private_key
and shared_secret
and we need a way to pass this values in secure way.
[1] https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/load_balancer_certificate [2] https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_ipsec_connection_tunnel_management
Issues #1226 and #1266 (possibly others?) have asked this same question. In both of those, the same response "this would allow sensitive data in the state file; so 'no'" was offered. Then and now I've yet seen rationale for why only this specific case with secret bundles of "sensitive" information in the state file is excluded.
There are numerous other instances of sensitive data in the state for OCI as well as other providers (see issue #1266 for examples). In OCI we see database SYS passwords and TLS certificate private keys stored there to name a couple. Certainly the lesson is "protect the state file" whether Terraform is used across multiple providers or for OCI only.
Until then, suggesting that secret bundles alone are prohibited "for security" may leave a false impression that the state file doesn't contain sensitive information. Knowing that isn't true, it seems reasonable to me that secret bundles also be allowed like the other examples of sensitive information while simply emphasizing the same general warning to "protect the state file."
Also, it would be nice to read the secret value from the vault in order to use as a "private" variable for example on oci when you create a database the sys/system password entered from a vault secret and i think that the data does not keep on the state file for example :
data "oci_vault_secret" "test_secret" { secret_id = var.mysecret }
resource "oci_database_db_system" "MYdb" { availability_domain = data.template_file.ad_names.0.rendered compartment_id = oci_identity_compartment.Database_compartment.id cpu_core_count = "2" data_storage_percentage = "80" data_storage_size_in_gb = "256" database_edition = "STANDARD_EDITION" db_home { database { admin_password = data.oci_vault_secret.test_secret.base64value << for example
agree. This is how people use secret in AWS. save secret in vault and then read the value out to provision other resources in terraform - which is a must to have feature.
We are very sorry that we couldn't respond to each and every issue reported on GitHub. Although we have refined the process to prioritize customer issues on GitHub, since this issue was reported a while ago, there is a good chance it may have been fixed in the latest version of Terraform Provider OCI.
If you are still experiencing this issue, please create a new issue and label it as Bug.