Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for .tfvars files #78

Open
cippaciong opened this issue Nov 8, 2021 · 3 comments
Open

Add support for .tfvars files #78

cippaciong opened this issue Nov 8, 2021 · 3 comments

Comments

@cippaciong
Copy link

cippaciong commented Nov 8, 2021
edited

Hello, I was wondering if there is any plan (assuming there is a way to implement it, which I'm not sure) to add support for encrypted .tfvars files in addition to yaml and json.

I have used encrypted .tfvars files with SOPS and terragrunt in the past, relying on terragrunt pre/post hooks to decrypt and encrypt .tfvars files before I fed them to terraform using -var-file flags.

I think it would be nice if we could have support to .tfvars files here, in order to have all the consistency checks provided by terraform on variables (type checking, check if the have been declared, etc.).

To be more specific, this is what I have in mind:

# secrets.enc.tfvars
password = superSecret
# main.tf
terraform {
  required_providers {
    sops = {
      source  = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

data "sops_file" "secret" {
  # The content is actually loaded as terraform variables
  source_file = "secrets.enc.tfvars"
  input_type  = "tfvars"
}

variable "password" {
  type    = string
}

output "password" {
  value = var.password
}

Do you think it's actually possible to implement this? If yes, would you be interested in this feature?
@carlpett
Copy link
Owner

Hi @cippaciong,
I do not believe this is possible with the current Terraform plugin model. If you're interested in driving this, the first step would be to open a discussion on Terraform core to allow providers to hook into the tfvars loading process.
If this were to be implemented there, then it'd be very natural to extend this provider with this support!

@jeffrade
Copy link

@cippaciong and anyone in the future coming across this, you can simply store secrets.enc.tfvars.json in proper JSON format and terraform will read this file as usual to accomplish what you are looking for. Then just drop the input-type:

data "sops_file" "secret" {
  source_file = "secrets.enc.tfvars.json"
}

@phil-edl
Copy link

data "sops_file" "secret" {
source_file = "secrets.enc.tfvars.json"
}

@cippaciong and anyone in the future coming across this, you can simply store secrets.enc.tfvars.json in proper JSON format and terraform will read this file as usual to accomplish what you are looking for. Then just drop the input-type:

@jeffrade I'm not sure this results in what is intended as terraform will load in the secrets.enc.tfvars.json with the values still encrypted and so I don't think any of the consistency checking will apply. Also, one will still have to reference the sops data object to lookup values, instead of using var values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carlpett @jeffrade @cippaciong @phil-edl