Terraform: Add resource-specific secrets

2
votes

I know that you can pass general secrets to a resource through terraform variables. Is there a way to configure secrets which change at the resource level?

Specifically, I'm using terraform as a back-end to an app which allows users to set up a server with a password. That password is different for each server. Is there some way to set something like self.password for a single instance so that it:

  1. Is not visible in the github repo where I track the terraform files

and

  1. Can be changed for each individual instance

Right now I'm just going to be creating terraform files like password=var.{unique_id}_password but if feels like there should be a better way

More detail on the use-case:

I have a web application to provision servers for users running another web app. The password for that server is set-up by my application. The password is configured right now using a set-up script that I would like to port to terraform.

The passwords change for each server because a user can set the password for their server only, and that variable should not effect other resources

Here's a super-simplified version of the expected output when a user tries to provision a server

# new-server.tf
resource "digitalocean_droplet" "new_server" {
   name = "new_server"
   password = "${var.get_the_password_somehow}"

   provisioner "remote-exec" {
    inline = [
      "set-password ${self.password}"
    ]
  }
}
1
terraform
Can you clarify what you mean by Can be changed for each individual instance? I am confused about your end goal. Maybe illustrate more where the secret data currently comes from and how you assign them to resources. - Andy Shinn
Sure: The short version is that the infrastructure is provisioned dynamically from a web application where users can set the password via a web form. Then that password is used in a set-up script when provisioning the resource. Updating the post now with more detail - Ben Muschol
FWIW: I know the other potentially solution is to have some server-side secret and then to send the password via an API call to the other server, authenticated via that secret. But would prefer to utilize terraform if possible - Ben Muschol
How are you going to be calling the Terraform configurations? If it's a server-side script executed by your web app you should be able to ask the user for a password and then pass it to the config on execution with var="password=<user_input>" - Scott Heath
You can't use a variable terraform apply -var="password=abcd123" ? - oktapodia

1 Answers

0
votes

You can use the random_password provider to generate a random string. Reference: https://www.terraform.io/docs/providers/random/r/password.html

Not sure if your use case requires management or storage of the password, but that is also possible depending on your needs. I see that you are using DO for provisioning resources.

Maybe you can put Hashicorp Vault in place to manage the randomly generated passwords. I'm an AWS guy so I would stick the password in secrets manager.