We have several Terraform deployments where we use multiple providers, and for some of these providers we store keys/passwords in password stores like AWS SecretsManager or Vault. We’re currently using a pattern like the following:
data "some_secret_provider" "secret" {
required = args
}
provider "target_provider" {
secret = data.some_secret_provider.secret.value
}
This works fine on plans/applies, but falls over on destroy. On destroy the provider errors about the secret being incorrect. I’ve seen this with multiple data sources, so it looks like Terraform doesn’t run the data source on destroy, so the provider becomes misconfigured.
I am still on Terraform 0.14 unfortunately. Legacy environment, I’m working on it.
Is this the recommended way to get dynamic secrets for providers? I really like that the provider secret config is in the Terraform code, that reduces the amount of environment/wrapper magic we need. Is there a way to flag the data provider as “always evaluate”?