Skip to content

rremer/terraform-provider-keyring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
keyring
keyring
 
 
.appveyor.yml
.appveyor.yml
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

terraform-provider-keyring

Travis AppVeyor

A terraform provider for leveraging local keyrings on all operating systems.

Installation

go get
go build

OS-specific installation examples below, but please reference the official Terraform Plugin Discovery documentation.

Linux / OSX:

cp terraform-provider-keyring ~/.terraform.d/plugins/

Windows:

copy terraform-provider-keyring %APPDATA%\terraform.d\plugins\

Usage

Hashicorp Vault

For an organization with many terraform projects sourcing similar secrets, you may want a 'bootstrap' project which developers run locally once, and then source that secret as an output elsewhere. Here's an example sourcing a secret from Hashicorp Vault. This would make one remote call to the Vault service, then cache the secret in the developer's local keyring. Other terraform projects would not need to make remote calls to Vault and instead reference the ${data.keyring_secret.example.secret}.

data "vault_generic_secret" "example" {
  path = "secret/example"
}

resource "keyring_secret" "example" {
        name   = "example"
        secret = "${data.vault_generic_secret.example.data["auth_token"]}"
}

data "keyring_secret" "example" {
        name = "${keyring_secret.example.name}"
}

Replacing file() and hard-coded secrets

Anywhere you reference terraform's file() method to fetch secrets like RSA private keys could be replaced with this provider.

Before:

resource "null_resource" "example_sshable_instance" {
  connection {
   user        = "ubuntu"
   host        = "example.com"
   private_key = "${file("~/.ssh/id_rsa")}"
 }
}

After:

data "keyring_secret" "ssh" {
        name = "example"
}

resource "null_resource" "example_sshable_instance" {
  connection {
   user        = "ubuntu"
   host        = "example.com"
   private_key = "${data.keyring_secret.ssh.secret}"
 }
}

Inserting secrets into your keyring is OS/distribution specific. Here's some common ones:

GNOME Keyring

Installation of secret-tool (or equivelant GUIs like Seahorse) varies, but the majority of Linux distrobutions implement GNOME Keyring for secrets storage. By default, most display managers will unlock a default login keyring for use.

Ubuntu:

sudo apt-get install -y libsecret-tools
secret-tool store --label=terraform id example

... when prompted, paste in your private key. --label terraform defines the service label, which is an optional field service in the terraform provider. id example can be whatever you want and must match the namefield in your terraform declaration.

OSX Keychain

OSX Keychain, leveraging the Login keychain (currently not configurable). Not including screenshots of that for brevity.

security add-generic-password -U -s terraform -a example -w <YOUR_PRIVATE_KEY>

... note that -s terraform defines the service label, which is an optional field service in the terraform provider. -a can be whatever you want and must match the namefield in your terraform declaration.

Windows Credential Manager

Since XP, Windows has shipped with a CLI and GUI for Windows Credential Manager.

cmdkey /generic terraform /user example /pass <YOUR_PRIVATE_KEY>

... note that /generic terraform defines the domain, which is an optional field service in the terraform provider. /user can be whatever you want and must match the name field in your terraform declaration.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages