Skip to content

Instantly share code, notes, and snippets.

@greyhoundforty

greyhoundforty/tf-sensitive.md

Last active May 11, 2023 11:29
Show Gist options
  • Save greyhoundforty/eac409fd55f94c636baa583d481c21ef to your computer and use it in GitHub Desktop.
Save greyhoundforty/eac409fd55f94c636baa583d481c21ef to your computer and use it in GitHub Desktop.
Download ZIP
Terraform data template_file vs templatefile
Raw
tf-sensitive.md

Does not work

Using the data template_file option leads to the secret being shown during the plan command. I used uuidgen to generate a random secret key.

export TF_VAR_secret_key=$(uuidgen)

data "template_file" "init" {
  template = sensitive(file("${path.module}/init-yaml.tftpl"))
  vars = {
    secret_key = "${var.secret_key}"
  }
}

resource "ibm_compute_vm_instance" "rendered" {
  hostname                 = "${local.prefix}-rendered"
  domain                   = var.domain
  os_reference_code        = var.os_reference_code
  datacenter               = "dal12"
  network_speed            = 1000
  hourly_billing           = true
  local_disk               = true
  private_network_only     = false
  flavor_key_name          = "BL2_2X8X100"
  tags                     = local.tags
  public_vlan_id           = data.ibm_network_vlan.public.id
  private_vlan_id          = data.ibm_network_vlan.private.id
  dedicated_acct_host_only = false
  ipv6_enabled             = true
  ssh_key_ids              = [data.ibm_compute_ssh_key.sshkey.id]
  user_metadata            = data.template_file.init.rendered
}

plan output

      + user_metadata              = <<-EOT
            #cloud-config
            package_update: true
            package_upgrade: true
            runcmd:
                - echo 24CF4CFA-98FF-43A7-A0C2-0A8E0F0C2AA0 | tee -a /root/secret_key_test
            final_message: "The system is finally up, after $UPTIME seconds"
            output: {all: '| tee -a /var/log/cloud-init-output.log'}
        EOT
      + wait_time_minutes          = 90
    }

Plan: 2 to add, 0 to change, 1 to destroy.

Does work

Using the builtin templatefile function. the play and apply show (sensitive value) instead of showing the actual key.

resource "ibm_compute_vm_instance" "inline" {
  hostname                 = "${local.prefix}-inline"
  domain                   = var.domain
  os_reference_code        = var.os_reference_code
  datacenter               = "dal12"
  network_speed            = 1000
  hourly_billing           = true
  local_disk               = true
  private_network_only     = false
  flavor_key_name          = "BL2_2X8X100"
  tags                     = local.tags
  public_vlan_id           = data.ibm_network_vlan.public.id
  private_vlan_id          = data.ibm_network_vlan.private.id
  dedicated_acct_host_only = false
  ipv6_enabled             = true
  ssh_key_ids              = [data.ibm_compute_ssh_key.sshkey.id]
  user_metadata            = templatefile("${path.module}/init-yaml.tftpl", { secret_key = var.secret_key })
}

Plan output

      + resource_controller_url    = (known after apply)
      + resource_name              = (known after apply)
      + resource_status            = (known after apply)
      + secondary_ip_addresses     = (known after apply)
      + ssh_key_ids                = [
          + 2175662,
        ]
      + tags                       = [
          + "owner:ryantiffany",
          + "provider:ibm",
          + "region:ca-tor",
        ]
      + user_metadata              = (sensitive value)
      + wait_time_minutes          = 90
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment