Terragrunt: handling secrets provided by the variables.
I am not sure if this is a feature request or a question.
Some of the variables to our modules are secrets that should not be commited to git.
Using TF_ env variables is to not an option (I need to access any secret for any module instance).
My working approach is to use gruntkms to encrypt the secret and it to the tfvars file.
Then, before running the terragrunt command I decrypt the file.
Could this somehow be integrated into the terragrunt? Or some similar way?
fieldawarepiotr
All 8 comments
Using TF_ env variables is to not an option (I need to access any secret for any module instance).
Can you expand on this a bit more?
brikis98
on 20 Sep 2018
I intend to run terragrunt on CI/CD.
We use the same module multiple times with different arguments (regions, names etc.)
Let's take a variable var.master_password.
The content of that variable will vary from one module instantiation to other.
When running on CI, I'd have to do a lot conditional logic to provide the right TF_master_password variable.
fieldawarepiotr
on 20 Sep 2018
Oh, I gotcha. I wonder if you could do this with Terragrunt hooks? That is, in a before hook, run the .tfvars file through gruntkms?
brikis98
on 20 Sep 2018
I didn't know that exists. Thanks, i'll try it.
fieldawarepiotr
on 20 Sep 2018
My initial approach
before_hook "before_hook_decrypt" {
commands = ["apply", "plan"]
execute = ["cat {LONG_ABSOLUTE_PATH/TOMODULE}/terraform.tfvars | gruntkms decrypt --aws-region=eu-west-1 >{LONG_ABSOLUTE_PATH/TOMODULE}//terraform.tfvars"]
run_on_error = true
}
after_hook "after_hook_decrypt" {
commands = ["apply", "plan"]
execute = ["git checkout {LONG_ABSOLUTE_PATH/TOMODULE}//terraform.tfvars"]
run_on_error = true
}
I saw in documentation, that there are some magic functions that could help me with pointing to terraform.tfvars in question. But I can't find anything helpful. Any hints with it?
fieldawarepiotr
on 20 Sep 2018
fieldawarepiotr
on 20 Sep 2018
This combination works:
before_hook "decrypt_secret_vars" {
commands = ["apply", "plan"]
execute = ["cat ${get_tfvars_dir()}/terraform.tfvars | gruntkms decrypt --aws-region=eu-west-1 > ${get_tfvars_dir()}/terraform.tfvars"]
run_on_error = true
}
after_hook "checkout_tfvars_back" {
commands = ["apply", "plan"]
execute = ["git checkout ${get_tfvars_dir()}/terraform.tfvars"]
run_on_error = true
}
master_password = "kmscrypt::AQICAHhByZffSBtMjQxQ1X/V5CFpjkx3TYwugc539zAH/fcShAG4a0Lbv4UUYChjVuCBh+M9AAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMprJ8NiwIfcTRFU4jAgEQgB6AWExrk89ywNEzkCs4CjeEOavjA0dr+V7A8X+RWlo="
The last problem is how to prevent from git checkout on stuff that shouldn't be changed. But this is out of the scope for this issue.
Thank you!
fieldawarepiotr
on 20 Sep 2018
Instead of overwriting terraform.tfvars in the before_hook, you could generate secret.auto.tfvars into the same folder and then delete it in the after_hook (you use .auto.tfvars so it gets picked up automatically). Your .gitignore could include secret.auto.tfvars.
brikis98
on 20 Sep 2018
Related issues
jtai-omniex
路
3Comments
geekifier
路
3Comments
shaharmor
路
3Comments
dingobar
路
3Comments
jeffdyke
路
3Comments
Most helpful comment
This combination works:
The last problem is how to prevent from
git checkouton stuff that shouldn't be changed. But this is out of the scope for this issue.Thank you!