Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret Referencing #44

Open
fermentfan opened this issue Apr 13, 2023 · 3 comments
Open

Secret Referencing #44

fermentfan opened this issue Apr 13, 2023 · 3 comments

Comments

@fermentfan
Copy link

Our current stack relies heavily on referencing secrets. I thought it was possible to create them via the terraform provider, because I saw the following sentence in the docs:

computed (String, Sensitive) The computed secret value, after resolving secret references
(https://registry.terraform.io/providers/DopplerHQ/doppler/latest/docs/resources/secret)

But I couldn't find any way to do this. I guess this is not yet supported?
@nmanoogian
Copy link
Member

Hi @dennisvonderbey,

Thanks for reaching out! You should be able to set secrets with references using the value field. For example,

resource "random_password" "db_password" {
  length  = 32
  special = true
}

resource "doppler_secret" "db_password" {
  project = "backend"
  config  = "dev"
  name    = "DB_PASSWORD"
  value   = random_password.db_password.result
}

resource "doppler_secret" "db_url" {
  project = "backend"
  config  = "dev"
  name    = "DB_URL"
  value   = "app-user:$${${doppler_secret.db_password.name}}@localhost"
  # The secret will be saved to Doppler as `app-user:${DB_PASSWORD}@localhost`.

  # This could also be written with the name literal `DB_PASSWORD`.
  # The value would be the same but we'd have to explicitly list the dependent secret.

  # value = "app-user:$${DB_PASSWORD}@localhost"
  # depends_on = [
  #   doppler_secret.db_password
  # ]
}

output "computed" {
  # Demonstration purposes only; sensitive values should never be printed.
  value = nonsensitive(doppler_secret.db_url.computed)
  # This will print the secret value with the references "rendered", for example: `app-user:PhA8mPwx4VFvSzhhtBfy8@localhost`
}

As you've likely seen, Doppler uses the "dollar curly" syntax for references (e.g. ${REFERENCE}). HCL uses the same syntax so we have to escape the first dollar curly so it makes it into Doppler in the appropriate format (app-user:$${${doppler_secret.db_password.name}}@localhost).

Does this answer your question? Let me know if there's anything I can clarify.

@fermentfan
Copy link
Author

fermentfan commented Apr 20, 2023
edited
Loading

Thank you for the help! I was totally not thinking it would be so simple 😅 I now tried it out for the first time and I have one suggestion:

In your example you're using a reference to a secret in the same project config. We most often reference secrets in other projects and thus need to reference the full path, which is kind of cumbersome. I'd love if the secrets themselves exposed a kind of FQDN with the full address including project and config.

@nmanoogian
Copy link
Member

nmanoogian commented Apr 20, 2023
edited
Loading

That's an interesting idea and a very good point. To reference a fully qualified secret in another project, you'd end up needing to do:

value   = "app-user:$${${doppler_secret.db_password.project}.${doppler_secret.db_password.config}.${doppler_secret.db_password.name}}@localhost"

Cumbersome to say the least!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nmanoogian @fermentfan