GithubHelp home page GithubHelp logo

infisical / terraform-provider-infisical Goto Github PK

View Code? Open in Web Editor NEW
7.0 7.0 5.0 354 KB

The offical Infisical Terraform provider

License: Mozilla Public License 2.0

HCL 0.46% Makefile 0.06% Go 99.47%

terraform-provider-infisical's Introduction

infisical

The open-source secret management platform: Sync secrets/configs across your team/infrastructure and prevent secret leaks.

Slack | Infisical Cloud | Self-Hosting | Docs | Website | Hiring (Remote/SF)

Deploy to DO

Infisical is released under the MIT license. PRs welcome! git commit activity Cloudsmith downloads Slack community channel Infisical Twitter

Dashboard

Introduction

Infisical is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.

We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

Features

And much more.

Getting started

Check out the Quickstart Guides

Use Infisical Cloud Deploy Infisical on premise
The fastest and most reliable way to
get started with Infisical is signing up
for free to Infisical Cloud.
View all deployment options

Run Infisical locally

To set up and run Infisical locally, make sure you have Git and Docker installed on your system. Then run the command for your system:

Linux/macOS:

git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up

Windows Command Prompt:

git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up

Create an account at http://localhost:80

Scan and prevent secret leaks

On top managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories.

To scan your full git history, run:

infisical scan --verbose

Install pre commit hook to scan each commit before you push to your repository

infisical scan install --pre-commit-hook

Lean about Infisical's code scanning feature here

Open-source vs. paid

This repo available under the MIT expat license, with the exception of the ee directory which will contain premium enterprise features requiring a Infisical license.

If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at our website or book a meeting with us:

Schedule a meeting

Security

Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!

Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address [email protected]. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.

Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

Contributing

Whether it's big or small, we love contributions. Check out our guide to see how to get started.

Not sure where to get started? You can:

  • Join our Slack, and ask us any questions there.
  • Join our community calls every Wednesday at 11am EST to ask any questions, provide feedback, hangout and more.

Resources

  • Docs for comprehensive documentation and guides
  • Slack for discussion with the community and Infisical team.
  • GitHub for code, issues, and pull requests
  • Twitter for fast news
  • YouTube for videos on secret management
  • Blog for secret management insights, articles, tutorials, and updates
  • Roadmap for planned features

Acknowledgements

terraform-provider-infisical's People

Contributors

akhilmhdh avatar austinvalle avatar bendbennett avatar bflad avatar bookshelfdave avatar danielhougaard avatar dependabot[bot] avatar hashicorp-copywrite[bot] avatar jon-ruckwood avatar maidul98 avatar paddycarver avatar radeksimko avatar vravind1 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

pierre-green rumenvasilev jithenms akhilmhdh

terraform-provider-infisical's Issues

Add infisical_folder resource

Feature Description

Currently, only infisical_secrets resource exists. If you try to create a secret in a folder that doesn't exist, an error will be thrown. The goal of this feature would be to implement an infisical_folder resource.

Why would it be useful?

To create a complete secrets' architecture from terraform

Secret Referencing not working?

I've been trying to get secret referencing working using the Terraform provider.

I have a Service Token with the scopes set to /** which should be able to access all the secrets.

Next, I have two folders, A and B.
In the folder A I have a secret named FOO with a value of secret.
I reference this secret in folder B like ${dev.A.FOO}.

CleanShot 2023-10-30 at 01 07 59
CleanShot 2023-10-30 at 01 08 21
CleanShot 2023-10-30 at 01 08 58

However, in terraform the output of the secret is not interpolated.

data "infisical_secrets" "test" {
  env_slug    = "dev"
  folder_path = "/B"  
}

output "foo" {
  value = data.infisical_secrets.test.secrets
}
Outputs:

foo = tomap({
  "ANOTHER_FOO" = {
    "comment" = ""
    "secret_type" = "shared"
    "value" = "${dev.A.FOO}"
  }
})

Using the CLI I can verify that it works:

infisical run --env=dev --path=/B -- env | grep foo
ANOTHER_FOO=secret

I simplified the example a bit, in my case folder B would be nested an additional level, but the secret referencing should work no matter the level of nesting ๐Ÿค”

In the docs, it is stated that secret referencing is working in all the native integrations. Is the terraform provider a native integration?

Secret UPDATE not working

Execute following terraform code

terraform apply --var INFISCAL_TOKEN=$(infisical service-token create --scope='dev:/SETUPTOOLS/**' --access-level=read --access-level=write -e 100 --token-only)

Following configuaration

provider "infisical" {
  alias         = "infiscal"
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  service_token = var.INFISCAL_TOKEN
}

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }

    htpasswd = {
      source = "loafoe/htpasswd"
    }
}

resource "random_password" "password" {
  length = 30
}

resource "random_password" "salt" {
  length = 8
}

resource "htpasswd_password" "hash" {
  password = random_password.password.result
  salt     = random_password.salt.result
}


resource "infisical_secret" "twine_username" {
  provider    = infisical.infiscal
  name        = "TWINE_USERNAME"
  value       = "opti-pypi"
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}


resource "infisical_secret" "twine_password" {
  provider = infisical.infiscal

  name = "TWINE_PASSWORD"

  value       = random_password.password.result
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}



resource "infisical_secret" "twine_htpasswd" {
  provider = infisical.infiscal

  name  = ".htpasswd"
  value = "${infisical_secret.twine_username.value}:${htpasswd_password.hash.apr1}"

  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}

It works on 1st run without issues.
Now change value = "opti-pypi" to something like value = "opti"

Reapply with same command, and Im getting following errors:

infisical_secret.twine_username: Modifying... [name=TWINE_USERNAME]
โ•ท
โ”‚ Error: Error updating secret
โ”‚ 
โ”‚   with infisical_secret.twine_username,
โ”‚   on 30-infisical-pwd.tf line 15, in resource "infisical_secret" "twine_username":
โ”‚   15: resource "infisical_secret" "twine_username" {
โ”‚ 
โ”‚ Couldn't save encrypted secrets to Infiscial, unexpected error: CallUpdateSecretsV3: Unsuccessful response. Please make sure your secret path, workspace and
โ”‚ environment name are all correct [response={"type":"bad_request","message":"Missing encrypted
โ”‚ key","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-21T14:45:54.890Z","application":"unknown","extra":[]}]
โ•ต
failed to wait for command termination: exit status 1

Add infisical_secret_imports resource

Feature Description

Currently, only infisical_secrets resource exists. The goal of this feature would be to implement an infisical_secret_imports resource.

Why would it be useful?

To create a complete secrets' architecture from terraform.

`terraform apply` fails when secret was created in previous run

Steps to reproduce

  • Define secret
  • Apply changes (everything is fine to this point)
  • Apply changes again (ex. in case where database creds are changed) and things will not be fine as infisical cannot update secrets.
resource "infisical_secret" "DATABASE_URI" {
  name        = "DATABASE_URI"
  value       = "postgres://${neon_role.db_owner.name}:${neon_role.db_owner.password}@${neon_project.default.branch.endpoint.host}:5432"
  env_slug    = "dev"
  folder_path = "/"
  depends_on = [
    neon_project.default,
    neon_role.db_owner,
  ]
}

Expected behavior

  • Update secrets instead strictly not-null checking

Error

 Error: Error creating secret
โ”‚ 
โ”‚   with infisical_secret.DATABASE_URI,
โ”‚   on main.tf line 86, in resource "infisical_secret" "DATABASE_URI":
โ”‚   86: resource "infisical_secret" "DATABASE_URI" {
โ”‚ 
โ”‚ Couldn't save encrypted secrets to Infiscial, unexpected error:
โ”‚ CallCreateSecretsV3: Unsuccessful response. Please make sure your secret
โ”‚ path, workspace and environment name are all correct
โ”‚ [response={"type":"bad_request","message":"Failed to create secret that
โ”‚ already
โ”‚ exists","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-27T16:44:30.084Z","application":"unknown","extra":[]}]
โ•ต
Operation failed: failed running terraform apply (exit 1)

Related: #31

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.