How to generate locally a sensitive file without having anything in the state?

spraysprayer · March 29, 2023, 3:17pm

This is what I’ve been using so far to generate a local file with some sensitive content

Terraform Configuration

# Terraform Cloud Remote Backend

variable "domain_join_username" {
  type        = string
  sensitive   = true
}

variable "domain_join_password" {
  type        = string
  sensitive   = true
}

resource "local_sensitive_file" "packer_secrets" {
  filename = "../packer/secrets.pkrvars.hcl"
  content = templatefile("./templates/packer-secret-vars.tpl", {
    software_container_url = azurerm_storage_container.software.id
    sas_token              = data.azurerm_storage_account_blob_container_sas.software_sas.sas
    domain_join_username   = var.domain_join_username
    domain_join_password   = var.domain_join_password
  })
}

But I have realised that its content gets tracked in my Remote Backend (TF Cloud).

What other options do I have to achieve this, without leaking sensitive data in my remote state?

maxb · March 29, 2023, 8:09pm

This is an example of something that is better done completely outside of Terraform.

Terraform has a fair amount of flexibility in defining resources, but it’s not a general purpose programming language, and this is a case where it’s not the right tool for the job.