Sharing sensitive variables between ansible and terraform

Simple proof of concept, how to share some sensitive variables between terraform and ansible in a way that allows committing into git, while also being reasonably easy to decrypt, and be used natively via ansible play.

Ansible

Let’s create some sensitive variables in ansible play, env-default-secure-vars.yml:

and encrypt this file using ansible-vault encrypt env-default-secure-vars.yml

Let’s check if ansible can work wish encrypted vars, using playbook

Terraform

Now let’s see how can we consume in terraform the same data ?

Fortunately, we have built-in provider external, that allows consuming json feed returned by external program

Let’s write shell routine, that will return json representation of the encrypted vars.

Checking if script works …

and now let’s check with terraform play:

Seems it works. Looking very promising, but lets look into terraform.tfstate

We see there our decrypted secure vars, so still be cautious, how you store it. Terraform has number of tickets around similar issues (https://github.com/hashicorp/terraform/issues/4436) for a few years, but no good solution until now.

Summary

POC shows how you can share some of your provisioning variables with terraform and back (terraform can generate variables yml file). Might be suitable for some situations, although not the ideal.

Check out example at https://github.com/Voronenko/poc-terraform-ansible-bridge