azurerm_key_vault_secret omit value from tfstate

[mrdavidkendall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Since secrets have versions with id's, there is no strong reason to store the secret value in tfstate. This is a large security concern and should be a high priority.

New or Affected Resource(s)

• azurerm_key_vault_secret

[njuCZ]

Hi @mrdavidkendall , I think this is not only about azurerm_key_vault_secret, but a wide problem about how tfstate stores sensitive data. You can refer to this guide: https://www.terraform.io/docs/extend/best-practices/sensitive-state.html. If there is any security concerns, It's recommend to use enhanced remote backends and especially the availability of Terraform Cloud.

[tombuildsstuff]

hi @mrdavidkendall

Thanks for opening this issue - apologies for the delayed response here.

Unfortunately this needs to be fixed in Terraform Core, rather than the Provider - since these values get stored in the state by default. Support for Encrypted Values in the State File is being tracked in this issue and Encrypting the Statefile is being tracked in this issue within Terraform Core - would you mind subscribing to those issues for updates, where once this is fixed this'll be available for all Providers?

Thanks!

[mrdavidkendall]

Thanks @tombuildsstuff. I have subscribed to those other issues.

Encrypting the state file would make this incrementally better, but I think I'm still curious as to why the secret value needs to be store on the file system at all.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!