Skip to content

Latest commit

 

History

History
113 lines (81 loc) · 3.98 KB

README.md

File metadata and controls

113 lines (81 loc) · 3.98 KB

terraform-provider-keyring

Travis AppVeyor

A terraform provider for leveraging local keyrings on all operating systems.

Installation

go get
go build

OS-specific installation examples below, but please reference the official Terraform Plugin Discovery documentation.

Linux / OSX:

cp terraform-provider-keyring ~/.terraform.d/plugins/

Windows:

copy terraform-provider-keyring %APPDATA%\terraform.d\plugins\

Usage

Hashicorp Vault

For an organization with many terraform projects sourcing similar secrets, you may want a 'bootstrap' project which developers run locally once, and then source that secret as an output elsewhere. Here's an example sourcing a secret from Hashicorp Vault. This would make one remote call to the Vault service, then cache the secret in the developer's local keyring. Other terraform projects would not need to make remote calls to Vault and instead reference the ${data.keyring_secret.example.secret}.

data "vault_generic_secret" "example" {
  path = "secret/example"
}

resource "keyring_secret" "example" {
        name   = "example"
        secret = "${data.vault_generic_secret.example.data["auth_token"]}"
}

data "keyring_secret" "example" {
        name = "${keyring_secret.example.name}"
}

Replacing file() and hard-coded secrets

Anywhere you reference terraform's file() method to fetch secrets like RSA private keys could be replaced with this provider.

Before:

resource "null_resource" "example_sshable_instance" {
  connection {
   user        = "ubuntu"
   host        = "example.com"
   private_key = "${file("~/.ssh/id_rsa")}"
 }
}

After:

data "keyring_secret" "ssh" {
        name = "example"
}

resource "null_resource" "example_sshable_instance" {
  connection {
   user        = "ubuntu"
   host        = "example.com"
   private_key = "${data.keyring_secret.ssh.secret}"
 }
}

Inserting secrets into your keyring is OS/distribution specific. Here's some common ones:

GNOME Keyring

Installation of secret-tool (or equivelant GUIs like Seahorse) varies, but the majority of Linux distrobutions implement GNOME Keyring for secrets storage. By default, most display managers will unlock a default login keyring for use.

Ubuntu:

sudo apt-get install -y libsecret-tools
secret-tool store --label=terraform id example

... when prompted, paste in your private key. --label terraform defines the service label, which is an optional field service in the terraform provider. id example can be whatever you want and must match the namefield in your terraform declaration.

OSX Keychain

OSX Keychain, leveraging the Login keychain (currently not configurable). Not including screenshots of that for brevity.

security add-generic-password -U -s terraform -a example -w <YOUR_PRIVATE_KEY>

... note that -s terraform defines the service label, which is an optional field service in the terraform provider. -a can be whatever you want and must match the namefield in your terraform declaration.

Windows Credential Manager

Since XP, Windows has shipped with a CLI and GUI for Windows Credential Manager.

cmdkey /generic terraform /user example /pass <YOUR_PRIVATE_KEY>

... note that /generic terraform defines the domain, which is an optional field service in the terraform provider. /user can be whatever you want and must match the name field in your terraform declaration.