[英]terraform create k8s secret from gcp secret
I have managed to achieve the flow of creating sensitive resources in terraform, without revealing what the sensitive details are at any point and therefore won't be stored in plain text in our github repo.我已经设法在 terraform 中实现了创建敏感资源的流程,而没有在任何时候透露敏感细节是什么,因此不会以纯文本形式存储在我们的 github 存储库中。 I have done this by letting TF create a service account, it's associated SA key, and then creating a GCP secret that references the output from the SA key for example.
我通过让 TF 创建一个服务帐户,它是关联的 SA 密钥,然后创建一个从 SA 密钥引用 output 的 GCP 机密来完成此操作。
I now want to see if there's any way to do the same for some pre-defined database passwords.我现在想看看是否有任何方法可以对某些预定义的数据库密码执行相同的操作。 The flow will be slightly different:
流程会略有不同:
secret_data = ""
(otherwise putting the plain text password details here defeat the object!)secret_data = ""
(否则将纯文本密码详细信息放在这里会破坏对象!)secret_data
from the google_secret_manager_version
to add into the kube.netes_secret
so it can be used within our GKE cluster.google_secret_manager_version
中获取secret_data
以添加到kube.netes_secret
,以便它可以在我们的 GKE 集群中使用。 However, when I run terraform plan
, it wants to change the value of my manually created GCP secret但是,当我运行
terraform plan
时,它想要更改我手动创建的 GCP 秘密的值
# google_secret_manager_secret_version.pgbouncer-secret-uat-v1 must be replaced
-/+ resource "google_secret_manager_secret_version" "pgbouncer-secret-uat-v1" {
~ create_time = "2021-08-26T14:42:58.279432Z" -> (known after apply)
+ destroy_time = (known after apply)
~ id = "projects/********/secrets/pgbouncer-secret-uat/versions/1" -> (known after apply)
~ name = "projects/********/secrets/pgbouncer-secret-uat/versions/1" -> (known after apply)
~ secret = "projects/********/secrets/pgbouncer-secret-uat" -> "projects/*******/secrets/pgbouncer-secret-uat" # forces replacement
- secret_data = (sensitive value) # forces replacement
Any ideas how I can get round this?有什么想法可以解决这个问题吗? I want to import the google secret version to use in kube.netes but not set the
secret_data
value in the resource as I don't want it to overwrite what i created manually.我想导入 google secret 版本以在 kube.netes 中使用,但不在资源中设置
secret_data
值,因为我不希望它覆盖我手动创建的内容。 Here is the relevant terraform config I'm talking about:这是我正在谈论的相关 terraform 配置:
resource "google_secret_manager_secret" "pgbouncer-secret-uat" {
provider = google-beta
secret_id = "pgbouncer-secret-uat"
replication {
automatic = true
}
depends_on = [google_project_service.secretmanager]
}
resource "google_secret_manager_secret_version" "pgbouncer-secret-uat-v1" {
provider = google-beta
secret = google_secret_manager_secret.pgbouncer-secret-uat.id
secret_data = ""
}
If you just want to retrieve/READ the secret without actively managing it, then you can use the associated data
instead:如果您只想检索/读取秘密而不主动管理它,那么您可以改用关联
data
:
data "google_secret_manager_secret_version" "pgbouncer-secret-uat-v1" {
provider = google-beta
secret = google_secret_manager_secret.pgbouncer-secret-uat.id
}
You can then use the value in your Kube.netes cluster as a secret with the data's exported resource attribute: data.google_secret_manager_secret_version.pgbouncer-secret-uat-v1.secret_data
.然后,您可以使用 Kube.netes 集群中的值作为数据导出资源属性的秘密:
data.google_secret_manager_secret_version.pgbouncer-secret-uat-v1.secret_data
。 Note that the provider will likely mark this exported resource attribute as sensitive
, and that carries the normal consequences with it.请注意,提供者可能会将此导出的资源属性标记为
sensitive
,并且会带来正常的后果。
You can also check the full documentation for more information.您还可以查看完整文档以获取更多信息。
Additionally, since you imported the resource into your state to manage it within your Terraform config, you will need to remove it from your state concurrently with removing it from your config.此外,由于您将资源导入 state 以在 Terraform 配置中管理它,因此您需要在从配置中删除它的同时将其从 state 中删除。 You can do that most easily with
terraform state rm google_secret_manager_secret_version.pgbouncer-secret-uat-v1
.您可以使用
terraform state rm google_secret_manager_secret_version.pgbouncer-secret-uat-v1
最轻松地做到这一点。 Then you may safely remove the resource from your config and solely include the data
in your config.然后,您可以安全地从您的配置中删除资源,并将
data
单独包含在您的配置中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.