Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow access to the secret of a consul token (feature request) #126

Closed
randomswdev opened this issue Jun 27, 2019 · 3 comments
Closed

Allow access to the secret of a consul token (feature request) #126

randomswdev opened this issue Jun 27, 2019 · 3 comments

Comments

@randomswdev
Copy link
Contributor

Terraform Version

Terraform v0.12.0

Affected Resource(s)

  • consul_acl_token

Expected Behavior

After creating a Consul token, it could be necessary to access the associated secret. For example, to configure the Vault's "Consul secret engine" we could use:

resource "vault_consul_secret_backend" "consul_backend" {
  address = "localhost:8500"
  token   = consul_acl_token.root-token.token # token does not exist
}

resource "consul_acl_token" "root-token" {
  description = "Root Token"
  policies = ["global-management"]
}

Actual Behavior

The above code fragment does not work, because the consul_acl_token does not provide a way to retrieve its token (the token attribute does not currently exist).

Proposed solution

One solution could simply add the token attribute to the consul_acl_token resource. The attribute would be computed.
The drawback is that the token would end up in the state; but this is a wider issue that applies to any secret that Terraform has to manage. There is an on-going discussion in order to avoid exposing secrets in the Terraform state (issue hashicorp/terraform#516).

Alternatively we can create a new resource that mimics the behavior of consul_acl_token but also exposes the token. This would prevent current users of the consul_acl_token resource to have the token exposed in their Terraform state, but will basically generate some duplication.

As a final option, we could create a data entity that allows retrieving the token. In this scenario I'm not sure if we can populate a data with information coming from a just created resource.

If we agree on a design, we can contribute a pull request implementing it.
@remilapeyre
Copy link
Contributor

Hi @randomswdev, we had a lot of discussion on this and this is pretty much all the alternatives. We decided to go with a separate data source wo the secret token would not be exposed in the Terraform state when it is not needed.

An example of the resource is here #110 (comment).

Let me know if you want to contribute it, otherwise I will do it.

@randomswdev
Copy link
Contributor Author

I can work on this next week, impmeneting a data source as you suggested above. Let me know if this plan is fine for you.

@marimp marimp mentioned this issue Jul 10, 2019
Closed
@remilapeyre remilapeyre mentioned this issue Jul 31, 2019
Merged
@randomswdev
Copy link
Contributor Author

I think this can be closed now that pull request #137 has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randomswdev @remilapeyre