使用Terraform CDK进行秘钥管理

huangapple go评论94阅读模式
英文:

Secret management with terraform cdk

问题

在过去,我使用过Pulumi,它提供了一个秘密管理解决方案,可以将基于堆栈的秘密加密后提交到git中。

我一直在寻找与Terraform CDK类似的解决方案,但没有找到。Terraform CDK是否提供类似的解决方案,以便我不必暴露我的基于堆栈的秘密(例如上面Pulumi示例中的mongoPassword)?

英文:

In the past I've used Pulumi which offers a secrets management solution that allows stack based secrets to be checked into git while being encrypted.

I've been looking for a similar solution with Terraform CDK and haven't found one. Does Terraform CDK offer a similar solution so that I don't have to expose my stack based secrets (like mongoPassword in the Pulumi example above)?

答案1

得分: 1

与Pulumi不同,terraform中的所有机密信息都以明文形式存储在状态中。在撰写本答案时,有一个已经开放了8年的问题:https://github.com/hashicorp/terraform/issues/516

Gruntworks的一篇文章也提到了最佳实践,明确指出了这些机密信息没有加密:https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1(有关状态的相关部分在这里:https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)

英文:

Unlike Pulumi, all secrets in terraform are stored in your state in plaintext. There’s an issue that’s been open for 8 years (at the time of writing this answer): https://github.com/hashicorp/terraform/issues/516

There’s also a Gruntworks post on best practice, which specifically states that the secrets aren’t encrypted: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1 (relevant bit about the state is here: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)

huangapple
  • 本文由 发表于 2023年1月8日 22:03:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/75048358.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定