Atlantis: Is there an example of obscuring sensitive values in Atlantis workflow?

Created on 12 Feb 2019 · 2Comments · Source: runatlantis/atlantis

I'm fairly new to terraform and very new to Atlantis, so please bare with me if I may ask about obvious things to experienced users.

I've just done test drive So I grasped how Atlantis work and willing to introduce this to our workflow.

by the way the test drive exprience was a hell of a way to demo! 👏

And I understand that in order to _plan_ and _apply_ I need to push the .tf/.tfvars and whatever necessary files into a repo and make a PR to work further.

And I just asked myself "How can I let Atlantis know about sensitive data via Terraform variables without committing the actual (text) data (either reading from somewhere or obscure the data) since I don't want to store that sensitive data into a git(hub) repo which many random team members can access it anytime?"

So I've looked at guide and docs and but I wasn't able to find any similar stuff there yet.

One thing I assumed it should work is injecting those data as ENV VARS when I spin up Atlantis. For example, TF_VAR_my_secret.

And since I still don't know what would considered as a best practice to achieve this and I'm also curious how other folks deal with the similar issues, wanting to hear your opinions!

question

Source

ryuheechul

Most helpful comment

Hi Heechul,
Yes this is a very good question.

If you're talking about secrets like AWS (or other cloud) credentials, people will set these as environment variables where they're running the atlantis server.
For other secrets that might be needed on a per-project basis, there's not as good an answer. Some people are storing these secrets in HashiCorp vault and then using the vault provider to populate a data variable:
```
provider "vault" {
 ...
}
data "vault_generic_secret" "secret" {
  path = "path"
}
provider "vsphere" {
  password       = "${data.vault_generic_secret.secret["password"]}"
}
```
You could do the same thing by storing the secret in AWS's secret manager and then using the aws_secretsmanager_secret_version data source (https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret_version.html).
You could use a custom run step to retrieve a secret from somewhere, set it as a TF_var environment variable and then execute the terraform plan:
```yaml
version: 2
projects:
- dir: .
  workflow: custom
  workflows:
  custom:
  plan:
  steps:
  - init
  - run: source ./my-script-to-retrieve-secrets.sh && terraform plan -input=false -refresh -no-color -out $PLANFILE

Let me know if that's helpful.

by the way the test drive experience was a hell of a way to demo! 👏

Thanks so much! Great to hear it 😃

lkysow on 15 Feb 2019

👍3 🚀2

All 2 comments

Hi Heechul,
Yes this is a very good question.

If you're talking about secrets like AWS (or other cloud) credentials, people will set these as environment variables where they're running the atlantis server.
For other secrets that might be needed on a per-project basis, there's not as good an answer. Some people are storing these secrets in HashiCorp vault and then using the vault provider to populate a data variable:
```
provider "vault" {
 ...
}
data "vault_generic_secret" "secret" {
  path = "path"
}
provider "vsphere" {
  password       = "${data.vault_generic_secret.secret["password"]}"
}
```
You could do the same thing by storing the secret in AWS's secret manager and then using the aws_secretsmanager_secret_version data source (https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret_version.html).
You could use a custom run step to retrieve a secret from somewhere, set it as a TF_var environment variable and then execute the terraform plan:
```yaml
version: 2
projects:
- dir: .
  workflow: custom
  workflows:
  custom:
  plan:
  steps:
  - init
  - run: source ./my-script-to-retrieve-secrets.sh && terraform plan -input=false -refresh -no-color -out $PLANFILE