Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Support ephemeral values in terraform 1.10.0 #2373

Open
xeivieni opened this issue Nov 29, 2024 · 2 comments
Open

[Enhancement]: Support ephemeral values in terraform 1.10.0 #2373

xeivieni opened this issue Nov 29, 2024 · 2 comments
Labels
enhancement

Comments

@xeivieni
Copy link

xeivieni commented Nov 29, 2024
edited
Loading

Description

Terraform released ephemeral values in the latest 1.10.0 which would be really useful when dealing with vault secrets, avoiding to have them stored in the state.
Here is the documentation of the feature https://www.hashicorp.com/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values

Any chances we could see this in a near future on the provider ?

Affected Resource(s) and/or Data Source(s)

vault_generic_secret

Potential Terraform Configuration

No response

References

https://www.hashicorp.com/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values

Would you like to implement a fix?

None
@crw crw mentioned this issue Dec 2, 2024
Open
@Freddo3000
Copy link

Freddo3000 commented Dec 19, 2024
edited
Loading

While vault_generic_secret can emulate basically all cases, it would be useful to have the other data sources and resources available as well. I'd suggest the following candidates:

  • Data sources
    • vault_aws_access_credentials
    • vault_aws_static_credentials
    • vault_azure_access_credentials
    • vault_generic_secret
    • vault_kubernetes_service_account_token
    • vault_kv_secret if including support for KV v1
    • vault_kv_secrets_list
    • vault_kv_secret_v2
    • vault_kv_secrets_list_v2
    • vault_kv_subkeys_v2
    • vault_ldap_dynamic_credentials
    • vault_ldap_static_credentials
    • vault_nomad_access_token
    • vault_transform_decode
    • vault_transit_decrypt
  • Resources
    • vault_generic_endpoint
    • vault_generic_secret
    • vault_pki_secret_backend_cert
    • vault_pki_secret_backend_sign
    • vault_token

and probably some other that I might've missed. These are the ones I've come across that either have a TTL such as tokens/certs, or are static in nature such as KV.

@mbounaceur
Copy link

mbounaceur commented Dec 31, 2024
edited
Loading

+1. It can be a killer feature.

Here an usecase where ephemeral can save me

resource "vault_kv_secret_v2" "secrets" {
  for_each = { for env in var.branches : env=> env }

  mount     = "test"
  name      = "test/${each.key}"
  data_json = jsonencode(
    merge(
      try(data.vault_kv_secret_v2.existing_secrets[each.key].data, {}),
      { for key in var.secrets_keys : key => lookup(
        try(data.vault_kv_secret_v2.existing_secrets[each.key].data, {}),
        key,
        "PLACEHOLDER"
      )}
    )
  )

I populate manually my secret outside Terraform. But, if I run a 2nd time Terraform, it will not recognize my secret and will erase them.
Logically, I don't want to see my secrets deleted that I previously added. If I use a data, my secret will not be destroy but the problem is that they will be stored on the tfstate and I want to avoid it

Using ephemeral data for retreiving secrets without store them in the tfstate will be the perfect solution.

Maybe my method is wrong but I know that supporting ephemeral data and resources can really be a killer feature and will be useful for many people

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xeivieni @Freddo3000 @mbounaceur