Target Components
Other Component Details
No response
Problem Statement
In src/000-cloud/035-postgresql/terraform/main.tf, the PostgreSQL Flexible Server component currently handles the admin password through standard Terraform arguments. In particular, the password is stored in Key Vault using the normal value argument:
resource "azurerm_key_vault_secret" "admin_password" {
count = var.should_store_credentials_in_key_vault ? 1 : 0
name = "psql-${var.resource_prefix}-${var.environment}-${var.instance}-admin-password"
value = local.admin_password_resolved
key_vault_id = var.key_vault.id
}
My understanding is that this password flow does not currently take advantage of newer Terraform/AzureRM write-only arguments that are intended to reduce persistence of sensitive values in Terraform artifacts, especially Terraform state and plan files.
Proposed Solution
I believe it could be valuable to update the admin password flow to use write-only arguments where supported. For example:
resource "azurerm_key_vault_secret" "admin_password" {
count = var.should_store_credentials_in_key_vault ? 1 : 0
name = "psql-${var.resource_prefix}-${var.environment}-${var.instance}-admin-password"
value_wo = local.admin_password_resolved
value_wo_version = 1
key_vault_id = var.key_vault.id
}
My understanding is that this would help reduce password exposure in Terraform state files and be more in tune with the current Terraform capabilities for sensitive data handling.
Benefits
No response
Alternative Solutions
No response
Implementation Ideas
No response
Potential Challenges
No response
Additional Context
Here is more context about ephemeral values and temporal arguments in Terraform: https://developer.hashicorp.com/terraform/language/manage-sensitive-data/write-only
Target Components
Other Component Details
No response
Problem Statement
In
src/000-cloud/035-postgresql/terraform/main.tf, the PostgreSQL Flexible Server component currently handles the admin password through standard Terraform arguments. In particular, the password is stored in Key Vault using the normalvalueargument:My understanding is that this password flow does not currently take advantage of newer Terraform/AzureRM write-only arguments that are intended to reduce persistence of sensitive values in Terraform artifacts, especially Terraform state and plan files.
Proposed Solution
I believe it could be valuable to update the admin password flow to use write-only arguments where supported. For example:
My understanding is that this would help reduce password exposure in Terraform state files and be more in tune with the current Terraform capabilities for sensitive data handling.
Benefits
No response
Alternative Solutions
No response
Implementation Ideas
No response
Potential Challenges
No response
Additional Context
Here is more context about ephemeral values and temporal arguments in Terraform: https://developer.hashicorp.com/terraform/language/manage-sensitive-data/write-only