Sharing sensitive variables between ansible and terraform
Simple proof of concept, how to share some sensitive variables between terraform and ansible in a way that allows committing into git, while also being reasonably easy to decrypt, and be used natively via ansible play.
Ansible
Let’s create some sensitive variables in ansible play, env-default-secure-vars.yml
:
and encrypt this file using ansible-vault encrypt env-default-secure-vars.yml
Let’s check if ansible can work wish encrypted vars, using playbook
Terraform
Now let’s see how can we consume in terraform the same data ?
Fortunately, we have built-in provider external, that allows consuming json feed returned by external program
Let’s write shell routine, that will return json representation of the encrypted vars.
Checking if script works …
and now let’s check with terraform play:
Seems it works. Looking very promising, but lets look into terraform.tfstate
We see there our decrypted secure vars, so still be cautious, how you store it. Terraform has number of tickets around similar issues (https://github.com/hashicorp/terraform/issues/4436) for a few years, but no good solution until now.
Summary
POC shows how you can share some of your provisioning variables with terraform and back (terraform can generate variables yml file). Might be suitable for some situations, although not the ideal.
Check out example at https://github.com/Voronenko/poc-terraform-ansible-bridge