英文:
Secret management with terraform cdk
问题
在过去,我使用过Pulumi,它提供了一个秘密管理解决方案,可以将基于堆栈的秘密加密后提交到git中。
我一直在寻找与Terraform CDK类似的解决方案,但没有找到。Terraform CDK是否提供类似的解决方案,以便我不必暴露我的基于堆栈的秘密(例如上面Pulumi示例中的mongoPassword
)?
英文:
In the past I've used Pulumi which offers a secrets management solution that allows stack based secrets to be checked into git while being encrypted.
I've been looking for a similar solution with Terraform CDK and haven't found one. Does Terraform CDK offer a similar solution so that I don't have to expose my stack based secrets (like mongoPassword
in the Pulumi example above)?
答案1
得分: 1
与Pulumi不同,terraform中的所有机密信息都以明文形式存储在状态中。在撰写本答案时,有一个已经开放了8年的问题:https://github.com/hashicorp/terraform/issues/516
Gruntworks的一篇文章也提到了最佳实践,明确指出了这些机密信息没有加密:https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1(有关状态的相关部分在这里:https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)
英文:
Unlike Pulumi, all secrets in terraform are stored in your state in plaintext. There’s an issue that’s been open for 8 years (at the time of writing this answer): https://github.com/hashicorp/terraform/issues/516
There’s also a Gruntworks post on best practice, which specifically states that the secrets aren’t encrypted: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1 (relevant bit about the state is here: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论