Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: store sensitive values in state as a hash rather than the value itself #36133

Closed
jamesla opened this issue Nov 28, 2024 · 2 comments
Closed
Labels
enhancement new new issue not yet triaged

Comments

@jamesla
Copy link

jamesla commented Nov 28, 2024

Terraform Version

n/a

Use Cases

simplifying secret management by allowing us to store in state

Attempted Solutions

n/a

Proposal

Terraform obviously stores all values (including sensitive values) in state which is not secure.

My suggestion is to store a hash of sensitive values in state rather than the value itself, that way sensitive values could be stored in state and terraform would still know if it needs to replace resources without violating security principals or requiring a seperate solution to manage secrets independently of the stack.

Thoughts?

References

No response

@jamesla jamesla added enhancement new new issue not yet triaged labels Nov 28, 2024
@jamesla jamesla changed the title Storing sensitive values as a hash Proposal: store sensitive values in state as a hash rather than the value itself Nov 28, 2024
@jbardin
Copy link
Member

jbardin commented Nov 29, 2024

Hi @jamesla,

The provider plugin protocol requires the values saved by the provider are always returned to the provider unchanged, they cannot be changed in the state. The new Ephemeral Values project is working towards a new system for avoiding stored secrets in the state.

@jbardin jbardin closed this as not planned Won't fix, can't repro, duplicate, stale Nov 29, 2024
Copy link
Contributor

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement new new issue not yet triaged
Projects
None yet
Development

No branches or pull requests

2 participants