Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to terraform-to-secrets to search for secrets in remote state resources #113

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add option to terraform-to-secrets to search for secrets in remote state resources #113

wants to merge 1 commit into from

Conversation

dav3r
Copy link
Member

@dav3r dav3r commented Mar 10, 2025

🗣 Description

This PR adds a new --remote-state option to the terraform-to-secrets script. When the option is included, the script will search for secrets in Terraform remote state resources. When the option is excluded, it will only search for secrets in the local state resources. This changes the behavior of terraform-to-secrets because it would previously search in the remote state by default.

💭 Motivation and context

There are some cases when it may be desirable to search for secrets in remote state resources, but generally, we will only want to search the local state.

This change was prompted by a situation (in cisagov/ansible-role-cdm-nessus-agent#62) where the intended TEST_ROLE_TO_ASSUME for the ansible-role-cdm-nessus-agent was being overwritten by an additional TEST_ROLE_TO_ASSUME that was included in the remote state for ansible-role-cdm-certificates. Adding this new option will allow us to avoid situations like this in the future.

🧪 Testing

I tested these changes by running the script in a repository that had secrets in both the local state and remote state. I confirmed that the changes worked as expected.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • All new and existing tests pass.

@dav3r
Add option to search for secrets in remote state resources
7ae8646 
Now by default, remote state resources will be excluded from the search for secrets unless specifically requested via the new --remote-state option.
@dav3r dav3r added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Mar 10, 2025
@dav3r dav3r requested a review from a team March 10, 2025 19:08
@dav3r dav3r self-assigned this Mar 10, 2025
@dav3r dav3r requested review from felddy, jsf9k and mcdonnnj as code owners March 10, 2025 19:08
@dav3r dav3r mentioned this pull request Mar 11, 2025
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsf9k jsf9k jsf9k approved these changes

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@dav3r dav3r

Labels
improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dav3r @jsf9k @dv4harr10