Secrets and state

Figure 1074. Storing secrets Slide presentation

Guide to Managing Terraform secrets.

variables.tf env providers.tf 
variable "hcloud_token" {
  nullable = false
  sensitive = true
}
 
export TF_VAR_hcloud_token=mBSxD...
 
provider "hcloud" {
  token = var.hcloud_token
}
 
. env  # sourcing environment

terraform apply

Figure 1075. Problem 2: VCS and visible secrets 😱 Slide presentation

For security reasons, secrets should not be under version control: 

...
provider "hcloud" { token = "xdaGfz9LmwO8SWkg ... "}
...

Figure 1076. Addressing secrets by variable Slide presentation

Declaring hcloud_token in variables.tf: 

variable "hcloud_token" {  # See secret.auto.tfvars
  nullable = false
  sensitive = true
}

Defining hcloud_token's value in secrets.auto.tfvars, added to .gitignore: 

hcloud_token="xdaGfz9LmwO8SWkg ... "

Using hcloud_token in main.tf: 

provider "hcloud" { token = var.hcloud_token }

Template file secrets.auto.tfvars.template:

hcloud_token="your_api_token_goes_here"

Figure 1077. Addressing secrets by file Slide presentation 
# Configure the Hetzner Cloud API token
provider "hcloud" {
  token = file("../providertoken.key")
}

Content of file providertoken.key, added to .gitignore: 

xdaGfz9LmwO8SWkg ...

Content of file providertoken.key.template: 

your_api_token_goes_here

Figure 1078. Addressing secrets by Bash .env file Slide presentation

  • Again declare hcloud_token in variables.tf.

  • Add a dot.env.template file to version control: 

    export TF_VAR_hcloud_token="Your token goes here"

  • Copy dot.env.template to .env, supply secret and add it to your .gitignore file.

  • Source the .env file, e.g. in a Bash shell execute: 

    . .env

    Test it:

    $ . ./env
$ echo $TF_VAR_hcloud_token
gTwn5...

exercise No. 13

Incrementally creating a base system

Q:

Follow the subsequent steps creating basic server based on Terraform:

  1. Start from Figure 1063, “Minimal Terraform configuration ” adding a ssh inbound firewall rule. Enter your Hetzner provider token and create the server.

    On success you'll receive an e-mail containing your server's IP address and the root user's password for ssh login. Why does this happen? Log in to your server.

  2. Subject your configuration to version control in a Git project. Putting the previous Terraform configuration under version control might expose your cloud provider's API token. Circumvent this problem by following the steps outlined in Figure 1077, “Addressing secrets by file ”.

  3. Ditch unsafe (and tedious) ssh password login in favour of public/private key access.

    Tip

    Create a resource "hcloud_ssh_key" ... and read your hcloud_server documentation regarding ssh public key configuration.

    On success you should be able to log in using your ssh private key.

  4. Currently when executing the terraform apply command both your newly created server's IP and data center location are not being shown. Add an outputs.tf file containing two corresponding output entries.

    On success when executing terraform apply you should see something like: 

    terraform apply
...
hcloud_server.helloServer: Still creating... [10s elapsed]
hcloud_server.helloServer: Creation complete after 14s [id=46961197]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

hello_location = "hel1"
hello_ip_addr = "95.217.154.104"
Figure 1079. Managing Terraform states Slide presentation

  • Problems:

    1. Multiple users and local Terraform state.

    2. DayDisjoint working environments, i.e. company and home office.

  • Solution: Move Terraform state to shared backend.

  • How to Manage Terraform State with GitLab


Prev  Up  Next
Outputs  Home  Cloud-init