Feature request: ability to exclude storage account keys from state

[clangaxon]

We don't use key state (or even the keys) and would prefer not to have them stored.

This would include at least:

primary_access_key
primary_blob_connection_string
primary_connection_string
secondary_access_key
secondary_blob_connection_string
secondary_connection_string

Is it practical to make this an option?

[achandmsft]

@clangaxon thanks for this suggestion. @tombuildsstuff what would it take to add this as an option? Is this a provider change or a core change?

[Phydeauxman]

It would be wonderful to be able to exclude keys from the state file. We run our configurations from Cloud Shell by using a shell script that dynamically pulls the key to the storage account where we store state files...at execution time. This is a pretty secure method but would be kicked up a notch if the key that gets pulled would not be stored in the state file.

[tombuildsstuff]

hi @clangaxon @Phydeauxman

Thanks for opening this issue :)

Is it practical to make this an option?

Unfortunately this isn't supported at the current time, however it's something we'd like to do longer-term. There's a document explaining our current approach to handling sensitive values in the state and that we'd generally recommend using an encrypted backend for that. At the current time the Azure backend doesn't support encryption, but I believe we should be able to add support for this in the future now that Encrypted Storage Accounts have gone GA - I'd recommend opening a feature request on the main repository about this.

Longer term there's several ways we could solve this, including encrypting the statefile and possibly removing sensitive fields from the state - which are described in this document. There's a few issues tracking this in the main Terraform repository - in particular you may wish to subscribe to the issue tracking support for encrypted statefiles

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!