-
-
Save mnhat3896/49c2b21fa2aae0b66cfa62f4761b95d6 to your computer and use it in GitHub Desktop.
Revisions
-
neilpeterson revised this gist
Sep 15, 2018 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ When initalizing a Terraform backend, a `.terraform/terraform.tfstate` file is written to disk and can include storage account secrets. ## Option 1 Include the Azure Storage key in the Terraform configuration. -
Sep 15, 2018 . 1 changed file with 3 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -77,7 +77,7 @@ terraform.tfstate file, key is visible. }, ``` ## Option 3 Use partial configuration and put the Azure Storage access key in an environment variable named `ARM_ACCESS_KEY`. @@ -95,7 +95,7 @@ terraform { } ``` Furthermore, keep the access key out of terminal history with Azure Key Vault. ``` ARM_ACCESS_KEY=$(az keyvault secret show --name tstate-key --vault-name billBooth --query value -o tsv) @@ -119,7 +119,4 @@ terraform.tfstate file, key is not visible. }, "hash": 3693603136239683338 }, ``` -
Sep 15, 2018 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Include the Azure Storage key in the Terraform configuration. **Not ideal**: the Storage access key is exposed both in the configuration and in the `.terraform/terraform.tfstate` file. Configuration: @@ -42,7 +42,7 @@ terraform.tfstate file, key is visible. Use partial configuration and pass the Azure Storage key as a parameter to `terraform init`. **Not ideal**: The storage access key is still written to the `.terraform/terraform.tfstate` file. Configuration: @@ -81,7 +81,7 @@ terraform.tfstate file, key is visible. Use partial configuration and put the Azure Storage access key in an environment variable named `ARM_ACCESS_KEY`. **Most ideal**: The storage access key is not written to the .terraform/terraform.tfstate file. Configuration: -
Sep 15, 2018 . 1 changed file with 9 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,8 @@ ## Option 1 Include the Azure Storage key in the Terraform configuration. **Not ideal** - the Storage access key is exposed both in the configuration and in the `.terraform/terraform.tfstate` file. Configuration: @@ -38,9 +38,11 @@ terraform.tfstate file, key is visible. }, ``` ## Option 2 Use partial configuration and pass the Azure Storage key as a parameter to `terraform init`. **Not ideal** - The storage access key is still written to the `.terraform/terraform.tfstate` file. Configuration: @@ -75,7 +77,9 @@ terraform.tfstate file, key is visible. }, ``` ## Option 2 Use partial configuration and put the Azure Storage access key in an environment variable named `ARM_ACCESS_KEY`. **Ideal** - The storage access key is not written to the .terraform/terraform.tfstate file. -
Sep 15, 2018 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,8 @@ ## Option 1 **Option 1** - Include the Azure Storage key in the Terraform configuration. **Not ideal** - the Storage access key is exposed both in the configuration and in the .terraform/terraform.tfstate file. Configuration: -
Sep 15, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,119 @@ **Option 1** - Include the Azure Storage key in the Terraform configuration. **Not ideal** becasue the Storage access key is exposed both in the configuration and in the .terraform/terraform.tfstate file. Configuration: ``` terraform { backend "azurerm" { storage_account_name = "tstate" container_name = "tstate" key = "terraform.tfstate" access_key = "<azure-storage-account-key>" } } ``` Init command: ``` terraform init ``` terraform.tfstate file, key is visible. ```json "backend": { "type": "azurerm", "config": { "access_key": "<azure-storage-account-key>", "container_name": "tstate", "key": "terraform.tfstate", "storage_account_name": "tstate" }, "hash": 13235237982197025795 }, ``` **Option 2** - Use partial configuration and pass the Azure Storage key as a parameter to `terraform init`. **Not ideal** - The storage access key is still written to the .terraform/terraform.tfstate file. Configuration: ``` terraform { backend "azurerm" { storage_account_name = "tstate" container_name = "tstate" key = "terraform.tfstate" } } ``` Init command: ``` terraform init -backend-config="access_key=<azure-storage-account-key>" ``` terraform.tfstate file, key is visible. ``` "backend": { "type": "azurerm", "config": { "access_key": "<azure-storage-account-key>", "container_name": "tstate", "key": "terraform.tfstate", "storage_account_name": "tstate" }, "hash": 13235237982197025795 }, ``` **Option 2** - Use partial configuration and put the Azure Storage access key in an environment variable named `ARM_ACCESS_KEY`. **Ideal** - The storage access key is not written to the .terraform/terraform.tfstate file. Configuration: ``` terraform { backend "azurerm" { storage_account_name = "tstate" container_name = "tstate" key = "terraform.tfstate" } } ``` Set environment variable (From Azure Key Vault): ``` ARM_ACCESS_KEY=$(az keyvault secret show --name tstate-key --vault-name billBooth --query value -o tsv) ``` Init command: ``` terraform init ``` terraform.tfstate file, key is not visible. ``` "backend": { "type": "azurerm", "config": { "container_name": "tstate", "key": "terraform.tfstate", "storage_account_name": "tstate" }, "hash": 3693603136239683338 }, ```