Skip to content

instructure/terraform-provider-credstash

 
 

Repository files navigation

Terraform provider for credstash secrets

CircleCI

Read secrets stored with credstash.

Install

  1. Download the binary for your platform

  2. Create the terraform plugin directory

     $ mkdir ~/.terraform.d/plugins
    
  3. Copy the provider binary to the terraform plugin directory

     $ cp /path/to/terraform-provider-credstash ~/.terraform.d/plugins/terraform-provider-credstash_v0.5.0
    
  4. Profit

From source

$ git clone https://github.com/joshuamorris3/terraform-provider-credstash.git
$ cd /path/to/terraform-provider-credstash
$ make install

Usage

provider "credstash" {
    table  = "credential-store"
    region = "us-east-1"
}

data "credstash_secret" "rds_password" {
    name = "rds_password"
}

data "credstash_secret" "my_secret" {
    name    = "some_secret"
    version = "0000000000000000001"
}

resource "aws_db_instance" "postgres" {
    password = "${data.credstash_secret.rds_password.value}"

    # other important attributes
}

You can override the table on a per data source basis:

data "credstash_secret" "my_secret" {
    table   = "some_table"
    name    = "some_secret"
    version = "0000000000000000001"
}

AWS credentials

AWS credentials are not directly set. Use one of the methods discussed here.

You can set a specific profile to use:

provider "credstash" {
    region  = "us-east-1"
    profile = "my-profile"
}

You can set a specific role arn:

provider "credstash" {
    region  = "us-east-1"
    assume_role {
        role_arn         = "arn:aws:iam::<acccount>:<role name>
        duration_seconds = 600
    }
}

Custom KMS key

If you are using a custom KMS key to encrypt your secrets, you will need to provide the key ID, ARN, alias, or alias ARN as the value for key_id. See the KeyId decription in the AWS SDK documentation for EncryptInput or DecryptInput

provider "credstash" {
    table   = "credential-store"
    region  = "us-east-1"
    assume_role {
        role_arn         = "arn:aws:iam::<acccount>:<role name>
        duration_seconds = 600
    }
    key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
}

Development

For dependency management Go modules are used thus you will need go 1.11+

  1. Clone the repo git clone https://github.com/joshuamorris3/terraform-provider-credstash.git
  2. Run make test to run all tests

Contributing

  1. Fork the project and clone it locally
  2. Open a feature brach git checkout -b my-awesome-feature
  3. Make your changes
  4. Commit your changes
  5. Push your changes
  6. Open a pull request

About

Terraform provider for secrets stored with credstash

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 98.0%
  • Makefile 2.0%