Best way to store Terraform variable values without having them in source control-CodePudding

We have a code repo with our IaC in Terraform. This is in Github, and we're going to pull the code, build it, etc. However, we don't want the values of our variables in Github itself. So this may be a dumb question, but where do we store the values we need for our variables? If my Terraform requires an Azure subscription id, where would I store the subscription id? The vars files won't be in source control. The goal is that we'll be pulling the code into an Azure Devops pipeline so the pipeline will have to know where to go to get the input variable values. I hope that makes sense?

CodePudding user response：

You can store your secrets in Azure Key Vault and retrieve them in Terraform using azurerm_key_vault_secret.

  data "azurerm_key_vault_secret" "example" {
    name         = "secret-sauce"
    key_vault_id = data.azurerm_key_vault.existing.id
  }

  output "secret_value" {
    value = data.azurerm_key_vault_secret.example.value
  }

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret

CodePudding user response：

There has to be a source of truth eventually.

You can store your values in the pipeline definitions as variables themselves and pass them into the Terraform configuration.

Usually it's a combination of tfvar files (dependent on target environment) and some variables from the pipeline. If you do have vars in your pipelines though, the pipelines should be in code.

If the variables are sensitive then you need to connect to a secret management tool to get those variables.

If you have many environments, say 20 environments and the infra is all the same with exception of a single ID you could have the same pipeline definition (normally JSON or YAML) and reference it for the 20 pipelines you build, each of those 20 would have that unique value baked in for use at execution. That var is passed through to Terraform as the missing piece.

There are other key-value property tracking systems out there but Git definitely works well for this purpose.

CodePudding user response：

You can use Azure DevOps Secure files (pipelines -> library) for storing your credentials for each environment. You can create a tfvar file for each environment with all your credentials, upload it as a secure file in Azure DevOps and then download it in the pipeline with a DownloadSecureFile@1 task.