GithubHelp home page GithubHelp logo

terraform-provider-infisical's Issues

Allow ClientSecret as EnvironmentVariable

For Security reasons its a good practise not hardcoded Secrets on your code. If you puts your code on a repository you are publishing your clientSecret for your Infisical environment.

The recomendation, like other providers, is allow to set the provider configs using envorinments variables.

Thanks!

Secret UPDATE not working

Execute following terraform code

terraform apply --var INFISCAL_TOKEN=$(infisical service-token create --scope='dev:/SETUPTOOLS/**' --access-level=read --access-level=write -e 100 --token-only)

Following configuaration

provider "infisical" {
  alias         = "infiscal"
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  service_token = var.INFISCAL_TOKEN
}

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }

    htpasswd = {
      source = "loafoe/htpasswd"
    }
}

resource "random_password" "password" {
  length = 30
}

resource "random_password" "salt" {
  length = 8
}

resource "htpasswd_password" "hash" {
  password = random_password.password.result
  salt     = random_password.salt.result
}


resource "infisical_secret" "twine_username" {
  provider    = infisical.infiscal
  name        = "TWINE_USERNAME"
  value       = "opti-pypi"
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}


resource "infisical_secret" "twine_password" {
  provider = infisical.infiscal

  name = "TWINE_PASSWORD"

  value       = random_password.password.result
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}



resource "infisical_secret" "twine_htpasswd" {
  provider = infisical.infiscal

  name  = ".htpasswd"
  value = "${infisical_secret.twine_username.value}:${htpasswd_password.hash.apr1}"

  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}

It works on 1st run without issues.
Now change value = "opti-pypi" to something like value = "opti"

Reapply with same command, and Im getting following errors:

infisical_secret.twine_username: Modifying... [name=TWINE_USERNAME]
╷
│ Error: Error updating secret
│ 
│   with infisical_secret.twine_username,
│   on 30-infisical-pwd.tf line 15, in resource "infisical_secret" "twine_username":
│   15: resource "infisical_secret" "twine_username" {
│ 
│ Couldn't save encrypted secrets to Infiscial, unexpected error: CallUpdateSecretsV3: Unsuccessful response. Please make sure your secret path, workspace and
│ environment name are all correct [response={"type":"bad_request","message":"Missing encrypted
│ key","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-21T14:45:54.890Z","application":"unknown","extra":[]}]
╵
failed to wait for command termination: exit status 1

Add infisical_secret_imports resource

Feature Description

Currently, only infisical_secrets resource exists. The goal of this feature would be to implement an infisical_secret_imports resource.

Why would it be useful?

To create a complete secrets' architecture from terraform.

`terraform apply` fails when secret was created in previous run

Steps to reproduce

  • Define secret
  • Apply changes (everything is fine to this point)
  • Apply changes again (ex. in case where database creds are changed) and things will not be fine as infisical cannot update secrets.
resource "infisical_secret" "DATABASE_URI" {
  name        = "DATABASE_URI"
  value       = "postgres://${neon_role.db_owner.name}:${neon_role.db_owner.password}@${neon_project.default.branch.endpoint.host}:5432"
  env_slug    = "dev"
  folder_path = "/"
  depends_on = [
    neon_project.default,
    neon_role.db_owner,
  ]
}

Expected behavior

  • Update secrets instead strictly not-null checking

Error

 Error: Error creating secret
│ 
│   with infisical_secret.DATABASE_URI,
│   on main.tf line 86, in resource "infisical_secret" "DATABASE_URI":
│   86: resource "infisical_secret" "DATABASE_URI" {
│ 
│ Couldn't save encrypted secrets to Infiscial, unexpected error:
│ CallCreateSecretsV3: Unsuccessful response. Please make sure your secret
│ path, workspace and environment name are all correct
│ [response={"type":"bad_request","message":"Failed to create secret that
│ already
│ exists","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-27T16:44:30.084Z","application":"unknown","extra":[]}]
╵
Operation failed: failed running terraform apply (exit 1)

Related: #31

Packer Data Source

Greetings,

I am evaluating this product and so far, it's been a breath of fresh air 😊

It is great that a Terraform provider is being maintained, but are there any plans to create a data source for Packer?

Project Created via Terraform Not Visible in Web UI for Organization Root User

TLDR;

Problem Statement:
After creating a project using Terraform, the project does not appear in the web UI when accessed by the organization root user.

Reproducible Steps:

  1. Use Terraform to create a new project within the organization.
  2. Log in to the web UI using the organization root user credentials.
  3. Navigate to the section where projects are listed.

Expected Outcome:
The organization root user should be able to see all projects within the organization, including the newly created project.

Full Description

After creating a project via terraform, the project is not showing up in web UI:
image
image

My user is full-admin:
image

And according to the roled escription, it should have full-powers over projects:
image

I had to add my full-admin user to the project via terraform to be able to see it via web UI:
image
image

Cannot create project identity via terraform

When trying to follow the provider documentation available on https://registry.terraform.io/providers/Infisical/infisical/latest/docs/resources/project_identity

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }
  }
}

provider "infisical" {
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  client_id     = "<>"
  client_secret = "<>"
}

resource "infisical_project" "example" {
  name = "example"
  slug = "example"
}

resource "infisical_project_identity" "test-identity" {
  project_id  = infisical_project.example.id
  identity_id = "<identity id>"
  roles = [
    {
      role_slug = "admin"
    }
  ]
}

I get the error when trying to create the identity:

╷
│ Error: Error attaching identity to project
│
│   with infisical_project_identity.test-identity,
│   on users.tf line 17, in resource "infisical_project_identity" "test-identity":
│   17: resource "infisical_project_identity" "test-identity" {
│
│ Couldn't create project identity to Infiscial, unexpected error: CallCreateProjectIdentity: Unsuccessful response.
│ [response={"statusCode":500,"message":"Something went wrong","error":"Find one"}]

Add infisical_folder resource

Feature Description

Currently, only infisical_secrets resource exists. If you try to create a secret in a folder that doesn't exist, an error will be thrown. The goal of this feature would be to implement an infisical_folder resource.

Why would it be useful?

To create a complete secrets' architecture from terraform

Secret Referencing not working?

I've been trying to get secret referencing working using the Terraform provider.

I have a Service Token with the scopes set to /** which should be able to access all the secrets.

Next, I have two folders, A and B.
In the folder A I have a secret named FOO with a value of secret.
I reference this secret in folder B like ${dev.A.FOO}.

CleanShot 2023-10-30 at 01 07 59
CleanShot 2023-10-30 at 01 08 21
CleanShot 2023-10-30 at 01 08 58

However, in terraform the output of the secret is not interpolated.

data "infisical_secrets" "test" {
  env_slug    = "dev"
  folder_path = "/B"  
}

output "foo" {
  value = data.infisical_secrets.test.secrets
}
Outputs:

foo = tomap({
  "ANOTHER_FOO" = {
    "comment" = ""
    "secret_type" = "shared"
    "value" = "${dev.A.FOO}"
  }
})

Using the CLI I can verify that it works:

infisical run --env=dev --path=/B -- env | grep foo
ANOTHER_FOO=secret

I simplified the example a bit, in my case folder B would be nested an additional level, but the secret referencing should work no matter the level of nesting 🤔

In the docs, it is stated that secret referencing is working in all the native integrations. Is the terraform provider a native integration?

Terraform Provider Crash When Planning/Applying After Web UI Role Edit

Description:
A project role was created using Terraform. Subsequent manual edits were made to the role via the web UI. When attempting to run terraform plan or terraform apply after making changes through the web UI, instead of showing the changes and reverting them to match the Infrastructure as Code (IAC) configuration, the Terraform provider crashed.

Steps to Reproduce:

  1. Create a new project role using Terraform.
  2. Edit the created role using the web UI.
  3. Run terraform plan to view the changes or terraform apply to apply the configuration.
  4. Observe the crash in the Terraform provider.

Expected Behavior:
Terraform should detect the changes made via the web UI and show a plan to revert the changes to match the IAC configuration.

Actual Behavior:
The Terraform provider crashes, preventing the plan from showing the changes and reverting them to match the IAC configuration.

Environment:
Terraform version: v1.7.2 on linux_amd64
Provider version: v0.6.1

Logs/Errors:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Plugin did not respond
│
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ReadResource call. The plugin logs
│ may contain more details.
╵
╷
│ Error: Plugin did not respond
│
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ReadResource call. The plugin logs
│ may contain more details.
╵
╷
│ Error: Plugin did not respond
│
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ReadResource call. The plugin logs
│ may contain more details.
╵

Stack trace from the terraform-provider-infisical_v0.6.1 plugin:

panic: runtime error: index out of range [1] with length 1

goroutine 23 [running]:
github.com/hashicorp/terraform-plugin-framework/internal/fwschemadata.ValueSemanticEqualityListElements({0xd570e0, 0xc000414180}, {{{0xc00040c850, 0x1, 0x1}}, {0xd59ce8, 0xc00033f560}, {0xd59ce8, 0xc000414120}}, 0xc00001b0d8)
        github.com/hashicorp/[email protected]/internal/fwschemadata/value_semantic_equality_list.go:145 +0xd8b
github.com/hashicorp/terraform-plugin-framework/internal/fwschemadata.ValueSemanticEqualityList({0xd570e0, 0xc000414180}, {{{0xc00040c850, 0x1, 0x1}}, {0xd59ce8, 0xc00033f560}, {0xd59ce8, 0xc000414120}}, 0xc00001b0d8)
        github.com/hashicorp/[email protected]/internal/fwschemadata/value_semantic_equality_list.go:27 +0x497
github.com/hashicorp/terraform-plugin-framework/internal/fwschemadata.ValueSemanticEquality({0xd570e0, 0xc00040a660}, {{{0xc00040c850, 0x1, 0x1}}, {0xd59ce8, 0xc00033f560}, {0xd59ce8, 0xc000414120}}, 0xc00001b0d8)
        github.com/hashicorp/[email protected]/internal/fwschemadata/value_semantic_equality.go:71 +0x36b
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.SchemaSemanticEquality({0xd570e0, 0xc00040a660}, {{{0xc101f3, 0x5}, {0xd5c928, 0xc00015c730}, {{0xd5b250, 0xc0002764b0}, {0xb32e40, 0xc0001e13b0}}}, ...}, ...)
        github.com/hashicorp/[email protected]/internal/fwserver/schema_semantic_equality.go:80 +0x39d
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ReadResource(0xc0002a71e0, {0xd570e0, 0xc00040a660}, 0xc00040a750, 0xc00001b610)
        github.com/hashicorp/[email protected]/internal/fwserver/server_readresource.go:135 +0x950
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ReadResource(0xc0002a71e0, {0xd570e0?, 0xc00040a510?}, 0xc000627940)
        github.com/hashicorp/[email protected]/internal/proto6server/server_readresource.go:55 +0x27b
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ReadResource(0xc0002a3180, {0xd570e0?, 0xc000407d70?}, 0xc0002784e0)
        github.com/hashicorp/[email protected]/tfprotov6/tf6server/server.go:746 +0x4b1
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ReadResource_Handler({0xbe6f80?, 0xc0002a3180}, {0xd570e0, 0xc000407d70}, 0xc0002141c0, 0x0)
        github.com/hashicorp/[email protected]/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:383 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003081e0, {0xd5b538, 0xc000102d00}, 0xc000259e60, 0xc000397f50, 0x11cc690, 0x0)
        google.golang.org/[email protected]/server.go:1337 +0xdf0
google.golang.org/grpc.(*Server).handleStream(0xc0003081e0, {0xd5b538, 0xc000102d00}, 0xc000259e60, 0x0)
        google.golang.org/[email protected]/server.go:1714 +0xa2f
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:957 +0x18c

Error: The terraform-provider-infisical_v0.6.1 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Additional Information:
The crash occurs only after manual edits are made via the web UI.
No issues were encountered when creating or managing roles exclusively through Terraform.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.