You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
simplifying secret management by allowing us to store in state
Attempted Solutions
n/a
Proposal
Terraform obviously stores all values (including sensitive values) in state which is not secure.
My suggestion is to store a hash of sensitive values in state rather than the value itself, that way sensitive values could be stored in state and terraform would still know if it needs to replace resources without violating security principals or requiring a seperate solution to manage secrets independently of the stack.
Thoughts?
References
No response
The text was updated successfully, but these errors were encountered:
jamesla
changed the title
Storing sensitive values as a hash
Proposal: store sensitive values in state as a hash rather than the value itself
Nov 28, 2024
The provider plugin protocol requires the values saved by the provider are always returned to the provider unchanged, they cannot be changed in the state. The new Ephemeral Values project is working towards a new system for avoiding stored secrets in the state.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Terraform Version
Use Cases
simplifying secret management by allowing us to store in state
Attempted Solutions
n/a
Proposal
Terraform obviously stores all values (including sensitive values) in state which is not secure.
My suggestion is to store a hash of sensitive values in state rather than the value itself, that way sensitive values could be stored in state and terraform would still know if it needs to replace resources without violating security principals or requiring a seperate solution to manage secrets independently of the stack.
Thoughts?
References
No response
The text was updated successfully, but these errors were encountered: