I am trying to create some resources with some defined variables that will be used.
I defined the variables with their own values
ingest_parameters = {
x1 = {
ENV_GROUPID = "xxxx"
ENV_TOPIC = "xxxx"
ENV_USERNAME = "xxxx"
}
x2 = {
ENV_GROUPID = "yyyy"
ENV_TOPIC = "yyyy"
ENV_USERNAME = "yyy"
}
x3 = {
ENV_GROUPID = "zzzz"
ENV_TOPIC = "zzzz"
ENV_USERNAME = "zzzz"
}
x4 = {
ENV_GROUPID = "wwww"
ENV_TOPIC = "wwww"
ENV_USERNAME = "wwww"
}
}
I created a for_each to get the above variables values into this module:
module "ingest_other" {
for_each = var.ingest_parameters
source = "./ingest_rest"
tenant = each.key
ingest_ENV_GROUPID = each.value.ENV_GROUPID
ingest_ENV_TOPIC = each.value.ENV_TOPIC
ingest_ENV_USERNAME = each.value.ENV_USERNAME
ingest_ENV_PASSWORD = ENV_PASSWORD <-how to?
}
the data above data is then used here:
environment_variables = format("[ %s ]", join(", ", tolist([
jsonencode(tomap({
name = "GROUPID"
value = "var.ingest_ENV_GROUPID"
})),
jsonencode(tomap({
name = "TOPIC"
value = "var.ingest_ENV_TOPIC"
})),
jsonencode(tomap({
name = "USERNAME"
value = "var.ingest_ENV_USERNAME"
})),
jsonencode(tomap({
name = "PASSWORD"
value = "var.ingest_ENV_PASSWORD"
}))
])))
How can I put the ENV_PASSWORD for each of the 4 resources. I do not want to hard code them in the ingest_parameters. Is there is a way that it when i do the plan it asks me for this 4 psswd variables? any recommendation?
thank you very much
CodePudding user response:
I strongly recommend you utilize some secrets manager like Hashicorp Vault and not enter passwords manually in cli. Provided you create a secret with KV engine and path ingest/secrets
and add values for each ENV_TOPIC (choose right parameter here, not sure if ENV_TOPIC is correct id...), you can do:
provider "vault" {
address = "https://${var.vault_fqdn}"
}
data "vault_generic_secret" "secrets" {
path = "ingest/secrets" # <= just an example
}
And then:
module "ingest_other" {
for_each = var.ingest_parameters
source = "./ingest_rest"
tenant = each.key
ingest_ENV_GROUPID = each.value.ENV_GROUPID
ingest_ENV_TOPIC = each.value.ENV_TOPIC
ingest_ENV_USERNAME = each.value.ENV_USERNAME
ingest_ENV_PASSWORD = data.vault_generic_secret.secrets.data[each.value.ENV_TOPIC]
}
Also, you can just use tfvars file, which is still more handy and secure solution (if you remember to add secrets.tfvars
to your .gitignore
). Not sure which terraform version you are using, but if it is > 0.14 then you can use sensitive variables, as described here. For example you could do:
variables.tf:
variable "secrets" {
type = "map"
default = {}
sensitive = true
}
secrets.tfvars:
secrets = {
"zzzz" : "zzzz-secret"
"yyyy" : "yyyy-secret"
"xxxx" : "xxxx-secret"
}
and then:
module "ingest_other" {
for_each = var.ingest_parameters
source = "./ingest_rest"
tenant = each.key
ingest_ENV_GROUPID = each.value.ENV_GROUPID
ingest_ENV_TOPIC = each.value.ENV_TOPIC
ingest_ENV_USERNAME = each.value.ENV_USERNAME
ingest_ENV_PASSWORD = var.secrets[each.value.ENV_TOPIC] # <= choose right parameter here, not sure if ENV_TOPIC is correct id...
}
CodePudding user response:
Is there is a way that it when i do the plan it asks me for this 4 psswd variables?
If you want it to ask you for each one, and you are going to type them in one at a time, then you simply need to define them as four separate variables without default values. It will then ask you to type each password before the terraform plan
proceeds.