How can assign the value of a sensitive output variable to an environment variable?

Question

I am automating my terraform script in a GitHub Workflow

In my terraform script, I have a sensitive output variable like this:

output "db_password" {
  value = aws_db_instance.db.password
  description = "The password for logging in to the database."
  sensitive = true
}

I am deploying (terraform apply) the script in a GitHub action workflow. After a successful deployment, I need to store the password in a secured storage (Azure KeyVault) . I have a bash command to do that.

I need to have the value of the db_password in an environment variable.

How can I assign the value of a sensitive output variable to an environment variable?

Is there a better way of doing this?

Grzegorz Oledzki Grzegorz Oledzki · Accepted Answer · 2020-11-15T21:56:04

I suggest to use terraform output after terraform apply. And then you can store the output to a Bash/shell variable or a file without it being printed out.

e.g.

terraform apply # as before
MY_SECRET=$(terraform output db_password)
azureInterface keyvault store $MYSECRET # a totally made-up line, no clue about Azure

The drawback is that it might:

show up in the console output for the last command
is visible in ps as command line argument

So a revised solution is to store in a temporary file

CREDENTIALS=$(mktemp -t tmp.XXXXXXXXXX)
terraform output db_password >$CREDENTIALS
# and now use the $CREDENTIALS file as input to Azure
rm -rf $CREDENTIALS

How can assign the value of a sensitive output variable to an environment variable?

1 Answers