In the below code which is taken from terraform registry… If we pass the secret value. it is getting passed as a plain text. We need to pass the secret value but once we pass the value nobody else can see the secret value even if they clone the repository where our code or state file is stored… Is there any way
resource "google_secret_manager_secret" "secret-basic" {
secret_id = "secret"
labels = {
label = "my-label"
}
replication {
user_managed {
replicas {
location = "us-central1"
}
replicas {
location = "us-east1"
}
}
}
}
I generally create the secret resource and its permissions via Terraform, but manage the secret versions themselves out of band (i.e., using the CLI or web console).
I would suggest using object storage (GCS or similar) for your state vs. checking a state file into version control, but either way, the same problem exists - the secret may be encrypted at rest technically, but anyone who can access the state file can view the value. Marking it secret won’t help as far as anyone / anything that can read the state file.
Once ephemeral values are supported in the provider, you may have a little bit easier time using secret manager secret values within Terraform, but I’m not sure it will make it much easier to populate them.