Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Terraform Cookbook

You're reading from   Terraform Cookbook Master Infrastructure as Code efficiency with real-world Azure automation using Terraform

Arrow left icon
Product type Paperback
Published in Aug 2023
Publisher Packt
ISBN-13 9781804616420
Length 634 pages
Edition 2nd Edition
Tools
Concepts
Arrow right icon
Author (1):
Arrow left icon
Mikael Krief Mikael Krief
Author Profile Icon Mikael Krief
Mikael Krief
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Setting Up the Terraform Environment 2. Writing Terraform Configurations FREE CHAPTER 3. Scaling Your Infrastructure with Terraform 4. Using Terraform with External Data 5. Managing Terraform State 6. Applying a Basic Terraform Workflow 7. Sharing Terraform Configuration with Modules 8. Provisioning Azure Infrastructure with Terraform 9. Getting Starting to Provisioning AWS and GCP Infrastructure Using Terraform 10. Using Terraform for Docker and Kubernetes Deployment 11. Running Test and Compliance Security on Terraform Configuration 12. Deep-Diving into Terraform 13. Automating Terraform Execution in a CI/CD Pipeline 14. Using Terraform Cloud to Improve Team Collaboration 15. Troubleshooting Terraform Errors 16. Other Books You May Enjoy
17. Index
Appendix A: Terraform Cheat Sheet 1. Appendix B: Terraform Resources

Keeping sensitive variables safe

In the Manipulating variables recipe in this chapter, we learned how to use variables to make our Terraform configuration more dynamic. By default, all variables’ values used in the configuration will be stored in clear text in the Terraform state file, and this value will also be in clear text in the console output execution.

In this recipe, we will learn how to keep Terraform variable information safe from prying eyes by not displaying their values in clear text in the console output.

Getting ready

To start with, we will use the Terraform configuration available at https://github.com/PacktPublishing/Terraform-Cookbook-Second-Edition/tree/main/CHAP02/sample-app, which provisions an Azure Web App with custom app settings.

To illustrate this, we will add a custom application API key, which has a sensitive value, in the key-value app setting.

The source code of this recipe is available at https://github.com/PacktPublishing/Terraform-Cookbook-Second-Edition/tree/main/CHAP02/sample-app.

How to do it…

Perform the following steps:

  1. In the main.tf file, which contains our Terraform configuration, in azurerm_linux_web_app we will add an app_settings property that is set with the api_key variable:
    resource "azurerm_linux_web_app" "app" {
      name                = "${var.app_name}-${var.environment} -${random_string.random.result}”
      location            = azurerm_resource_group.rg-app.location
      resource_group_name = azurerm_resource_group.rg-app.name
      service_plan_id     = azurerm_service_plan.plan-app.id
      site_config {}
      app_settings = {
    API_KEY = var.api_key
      }
              }
    
  2. Then, in variable.tf, declare the custom_app_settings variable:
    variable "api_key " {
      description = "Custom application api key"
      sensitive = true
    }
    
  3. In terraform.tfvars, we instantiate this variable with these values (as an example for this book):
    api_key = "xxxxxxxxxxxxxxxxx"
    
  4. Finally, we run the terraform plan command. The following screenshot shows a part of this execution:
Une image contenant texte  Description générée automatiquement

Figure 2.8: Terraform doesn’t display the sensitive variable value

  1. We can see that the value of the api_key property (which is in uppercase in the Terraform plan output) in app_settings isn’t displayed in the console output.

How it works…

In the recipe, we add the sensitive flag to the api_key variable, which enables the protection of the variable. By enabling this flag, the terraform plan command (and the apply command) doesn’t display the value of the variable in the console output in clear text.

There’s more…

Be careful! The sensitive variable property protects the value of this variable from being displayed in the console output, but the value of this is still written in clear text in the Terraform state file.

Then, if this Terraform configuration is stored in a source control such as Git, the default value of this variable or the tfvars file is also readable as clear text in the source code.

So, to protect the value of this variable in source control, we can set the value of this variable by using Terraform’s environment variable technique with the format TF_VAR_<variable name> as we learned in the previous recipe, Manipulating variables.

In our scenario, we can set the TF_VAR_api_key = "xxxxxxxxxxx" environment variable just before the execution of the terraform plan command.

One scenario in which the sensitive variable is effective is when Terraform is executed in a CI/CD pipeline; then, unauthorized users can’t read the value of the variable.

Finally, one best practice is to use an external secret management solution such as Azure Key Vault or HashiCorp Vault (https://www.vaultproject.io/) to store your secrets and use Terraform providers to get these secrets’ values.

See also

You have been reading a chapter from
Terraform Cookbook - Second Edition
Published in: Aug 2023
Publisher: Packt
ISBN-13: 9781804616420
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image