How to Manage Secrets in Terraform?
HTML-код
- Опубликовано: 13 июл 2024
- 🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
▬▬▬▬▬ Experience & Location 💼 ▬▬▬▬▬
► I’m a Senior Software Engineer at Juniper Networks (12+ years of experience)
► Located in San Francisco Bay Area, CA (US citizen)
▬▬▬▬▬▬ Connect with me 👋 ▬▬▬▬▬▬
► LinkedIn: / anton-putra
► Twitter/X: / antonvputra
► GitHub: github.com/antonputra
► Email: me@antonputra.com
▬▬▬▬▬▬ Related videos 👨🏫 ▬▬▬▬▬▬
👉 [Playlist] Kubernetes Tutorials: • Kubernetes Tutorials
👉 [Playlist] Terraform Tutorials: • Terraform Tutorials fo...
👉 [Playlist] Network Tutorials: • Network Tutorials
👉 [Playlist] Apache Kafka Tutorials: • Apache Kafka Tutorials
👉 [Playlist] Performance Benchmarks: • Performance Benchmarks
👉 [Playlist] Database Tutorials: • Database Tutorials
▬▬▬▬▬▬▬ Timestamps ⏰ ▬▬▬▬▬▬▬
0:00 Intro
3:46 Environment Variables
10:12 Encrypted Files (KMS, PGP, SOPS)
14:08 Secret Stores (Vault, AWS/GCP Secrets Manager)
▬▬▬▬▬▬▬ Source Code 📚 ▬▬▬▬▬▬▬
► GitHub: github.com/antonputra/tutoria...
#terraform #devops #cloud 
Наука
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
This video is PURE GOLD.
Thanks =)
Very informative video, I didn't know about the "pass" password manager. Thank you.
thanks!
Another cool way is to store the sensitive values in SSM parameter store and then using the data source to pull it into your terraform.
yeap
Could u please share us how to do this please
Pls let us know how to do this @anton putra
@@yogithakakarla1716
data "aws_ssm_parameter" "token" {
name = "/mysecret/token"
}
data.aws_ssm_parameter.token.value
@@puttenicole thanks!
Thank you for this great video. You do priceless things here.
appreciate it!
Great
thanks
Awesomely Explained.
appreciate it!
Антон, вы даже не сможете представить, как сильно вы помогли мне. Спасибо!
rad pomoch!
Спасибо, очень полезный урок, я даже сохранил в закладках.
Spasibo
Superb!!
thanks!
Hi Anton, As usual really great content. Kudos to you for putting such high quality content everytime.
May be you can do playlist on central Logging solutions for k8s pods. Just a suggestion for future videos. Thanks again. Appreciate the effort you put behind these vidoes. 🎉
Thanks for the suggestion, will do in the future!
very informative
thanks!
❤
🙏
Due to recent aws provider changes we can get rid of passwords for rds using manage_master_user_password attribute :)
Databases for me was the last thing that required creating passwords. Everything else can be managed with iam roles without passwords/keys at all
Awsome! Btw, i’m using Vault hosting on an EC2 for storing secrets recently. What ur opinion abt its downsides when compare to managed services? Beside having to manage it urself lol
I would personally prefer to use self managed services like vault, well partially because we use multiple clouds.
great video especially the second part, Thanks in advance, Would you please explain after securing the secrets with the latest method, are we still have them as plain text on the state file or not? you didn't demo that part and the end of your video
Thank you! Yes, unfortunately, in the Terraform state, you'll find those secrets in plain text. It's a well-known issue that HashiCorp didn't want to resolve. They want everybody to migrate to Terraform Cloud. Now, after the fork "OpenTF," they immediately implemented encryption of those secrets. We may need to wait a few more weeks until they officially release it.
A very k8s-centric (i.e. the private key stays inside the cluster) method to encrypting secrets and being able to save them external to the cluster is via Bitnami's sealed secrets.
Yes, but it's hard to rotate and quickly revoke, unless you have a script that pulls the secrets and creates sealed secret out of it.
@@AntonPutra- Um, no matter what system you use, you always have to have some process to generate the secret, encrypt it and save it.
@@scottamolinari Sure, I've been using Sealed Secrets in production for the last 5 years and have never had any issues. The only exception was with GKE, where you need to open an additional port between the master and nodes to pull the public cert for encrypting your secrets, because it uses kubectl proxy.
What about the usage of random_password resource?
Would you recommend to remove it? Or is there anyway to leverage random_password resource securely? I am in DigitalOcean so I do not have KMS or something alike at the moment.
you can use it for testing =) basically you use state to store your secret
It's not the most convenient option. Instead of managed SMs from public cloud providers you can use the vault as self hosted solution and get sensitive data to terraform using the same approach.
Definitely just for testing 😛
I did deployed Vault but I have a cyclical dependency since I use terraform to deploy Vault so at some point in the infra I don’t have Vault available 🥲
Sir, can you teach us how to create cross-account deployment using terraform module in jenkins CI/CD pipeline?
Do you mean hep to setup IAM roles for terraform?
@@AntonPutra Yes, sir! Usin'g IAM roles to deploy to dev, staging and production steps and strategy!
is there a way to extract credentials from azure vault and run terraform and pass these values to azure pipeline solutions..I m looking for similar solution in azure around service principle
i assume it's posible, but you or your role need to have permissions for that vault secret
Am I understanding correctly that the combination of sops+kms is not the best choice because the password is stored in the state?
So, from the perspective of GIT + CI/CD, it's beautiful and protected, but the state itself contains passwords and tokens.
Whatever option you choose, secrets will also be stored in plain text in the Terraform state. In my opinion, cloud-managed services (secrets managers) are more convenient in the long run than SOPs, etc.
nice video! Are you devops?
sre if you ask my manager lol
Great video. I would like to know why pass doesn't pops up again to enter the passphrase (to retrieve the password ) once we have got the password. So, every time we need the password, it should ask for the passphrase everytime
it does only if you enter it initially
@@AntonPutra But that will not work in Production environments.
@@lakshayarora3935 I would use cloud secret managers for prod
Show us how to do using hashicorp vault
Ok, there are so many different integrations.. I'll make one soon
Second
4:20 for future reference
sure :)
looks like AWS secret manager is the easiest way
💯 or vault
using secret manager will it still store secret value in state file?
Ugh. Why are you using MacOS? With your knowledge, I was assuming you'd be running Linux...
Well, 90% of the software engineers in the Bay Area use MacOS, mostly because companies provide it. Some startups use Linux, but to be compliant, I guess they force us to use Mac.
Also, Adobe won't run on Linux, so I don't want to be constantly switching between two laptops.
Hi, do you have telegram?
I do, also I have email me@antonputra.com =)
The only one thing I am not like on this video that you are reading text instead of real “explanation”.
db_creds = jsondecode(
│ 7: data.aws_secretsmanager_secret_version.creds.secret_string
│ 8: )
│ ├────────────────
│ │ while calling jsondecode(str)
│
│ Call to function "jsondecode" failed: invalid character '"' after object key:value pair.
i tried to follow this but i got the following error
so you cant read? @@shantipahari