Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add vault_transit_encrypt and vault_transit_decrypt #872

Merged
merged 2 commits into from
Oct 2, 2020

Conversation

razaj92
Copy link
Contributor

@razaj92 razaj92 commented Sep 29, 2020

This adds data_sources for encrypting and decrypting a value using the vault transit backend.

This can be useful for storing transit encrypted strings alongside your terraform to be decrypted and passed into resources at runtime.

Example usage:

provider "vault" {}

variable "secret" {
  type    = "string"
  default = "vault:v1:JSy8PxTGxC+jVtuOaKNjPbQ4Y2eAsYJnezx8U9GW+5DdK4a//g=="
}

resource "vault_mount" "test" {
  path        = "transit"
  type        = "transit"
  description = "This is an example mount"
}

resource "vault_transit_secret_backend_key" "test" {
  backend = "transit"
  name    = "test"
}

data "vault_transit_decrypt" "super_secret_thing" {
  backend    = "transit"
  key        = "test"
  ciphertext = var.secret
}

resource "vault_generic_secret" "super_secret_thing" {
  path      = "secret/super_secret_thing"
  data_json = jsonencode({ "value" = data.vault_transit_decrypt.super_secret_thing.plaintext })
}

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:


Add data_sources for `vault_transit_encrypt` and `vault_transit_decrypt`

Output from acceptance testing:

$ TESTARGS="--run DataSourceTransitDecrypt" make testacc

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v --run DataSourceTransitDecrypt -timeout 120m
?   	github.com/terraform-providers/terraform-provider-vault	[no test files]
?   	github.com/terraform-providers/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/terraform-providers/terraform-provider-vault/cmd/generate	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/codegen	(cached) [no tests to run]
?   	github.com/terraform-providers/terraform-provider-vault/generated	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/datasources/transform/decode	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/datasources/transform/encode	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/alphabet	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/role	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/template	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/transformation	(cached) [no tests to run]
?   	github.com/terraform-providers/terraform-provider-vault/schema	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/util	(cached) [no tests to run]
=== RUN   TestDataSourceTransitDecrypt
--- PASS: TestDataSourceTransitDecrypt (0.34s)
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/vault	2.985s



 $ TESTARGS="--run DataSourceTransitEncrypt" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v --run DataSourceTransitEncrypt -timeout 120m
?   	github.com/terraform-providers/terraform-provider-vault	[no test files]
?   	github.com/terraform-providers/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/terraform-providers/terraform-provider-vault/cmd/generate	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/codegen	(cached) [no tests to run]
?   	github.com/terraform-providers/terraform-provider-vault/generated	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/datasources/transform/decode	0.909s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/datasources/transform/encode	1.481s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/alphabet	0.612s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/role	2.014s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/template	1.751s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/generated/resources/transform/transformation	1.184s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-vault/schema	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/util	(cached) [no tests to run]
=== RUN   TestDataSourceTransitEncrypt
--- PASS: TestDataSourceTransitEncrypt (0.27s)
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/vault	2.132s
...

@catsby catsby added this to the vNext milestone Oct 1, 2020
Copy link
Contributor

@catsby catsby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@catsby catsby merged commit 293699e into hashicorp:master Oct 2, 2020
@gw0
Copy link

gw0 commented Nov 6, 2020

I believe a big notice should be added to the docs that this still stores your plaintext secrets in the Terraform state.

dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
* add data_sources for vault_transit_encrypt and vault_transit_decrypt

* docs: data_sources for vault_transit_encrypt and vault_transit_decrypt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants