Using the data template_file
option leads to the secret being shown during the plan
command. I used uuidgen
to generate a random secret key.
export TF_VAR_secret_key=$(uuidgen)
data "template_file" "init" {
template = sensitive(file("${path.module}/init-yaml.tftpl"))
vars = {
secret_key = "${var.secret_key}"
}
}
resource "ibm_compute_vm_instance" "rendered" {
hostname = "${local.prefix}-rendered"
domain = var.domain
os_reference_code = var.os_reference_code
datacenter = "dal12"
network_speed = 1000
hourly_billing = true
local_disk = true
private_network_only = false
flavor_key_name = "BL2_2X8X100"
tags = local.tags
public_vlan_id = data.ibm_network_vlan.public.id
private_vlan_id = data.ibm_network_vlan.private.id
dedicated_acct_host_only = false
ipv6_enabled = true
ssh_key_ids = [data.ibm_compute_ssh_key.sshkey.id]
user_metadata = data.template_file.init.rendered
}
plan output
+ user_metadata = <<-EOT
#cloud-config
package_update: true
package_upgrade: true
runcmd:
- echo 24CF4CFA-98FF-43A7-A0C2-0A8E0F0C2AA0 | tee -a /root/secret_key_test
final_message: "The system is finally up, after $UPTIME seconds"
output: {all: '| tee -a /var/log/cloud-init-output.log'}
EOT
+ wait_time_minutes = 90
}
Plan: 2 to add, 0 to change, 1 to destroy.
Using the builtin templatefile
function. the play and apply show (sensitive value)
instead of showing the actual key.
resource "ibm_compute_vm_instance" "inline" {
hostname = "${local.prefix}-inline"
domain = var.domain
os_reference_code = var.os_reference_code
datacenter = "dal12"
network_speed = 1000
hourly_billing = true
local_disk = true
private_network_only = false
flavor_key_name = "BL2_2X8X100"
tags = local.tags
public_vlan_id = data.ibm_network_vlan.public.id
private_vlan_id = data.ibm_network_vlan.private.id
dedicated_acct_host_only = false
ipv6_enabled = true
ssh_key_ids = [data.ibm_compute_ssh_key.sshkey.id]
user_metadata = templatefile("${path.module}/init-yaml.tftpl", { secret_key = var.secret_key })
}
Plan output
+ resource_controller_url = (known after apply)
+ resource_name = (known after apply)
+ resource_status = (known after apply)
+ secondary_ip_addresses = (known after apply)
+ ssh_key_ids = [
+ 2175662,
]
+ tags = [
+ "owner:ryantiffany",
+ "provider:ibm",
+ "region:ca-tor",
]
+ user_metadata = (sensitive value)
+ wait_time_minutes = 90
}