Is there an example of obscuring sensitive values in Atlantis workflow?

[ryuheechul]

I'm fairly new to terraform and very new to Atlantis, so please bare with me if I may ask about obvious things to experienced users.

I've just done test drive So I grasped how Atlantis work and willing to introduce this to our workflow.

by the way the test drive exprience was a hell of a way to demo! 👏

And I understand that in order to plan and apply I need to push the .tf/.tfvars and whatever necessary files into a repo and make a PR to work further.

And I just asked myself "How can I let Atlantis know about sensitive data via Terraform variables without committing the actual (text) data (either reading from somewhere or obscure the data) since I don't want to store that sensitive data into a git(hub) repo which many random team members can access it anytime?"

So I've looked at guide and docs and but I wasn't able to find any similar stuff there yet.

One thing I assumed it should work is injecting those data as ENV VARS when I spin up Atlantis. For example, TF_VAR_my_secret.

And since I still don't know what would considered as a best practice to achieve this and I'm also curious how other folks deal with the similar issues, wanting to hear your opinions!

[lkysow]

Hi Heechul,
Yes this is a very good question.

1. If you're talking about secrets like AWS (or other cloud) credentials, people will set these as environment variables where they're running the atlantis server.

2. For other secrets that might be needed on a per-project basis, there's not as good an answer. Some people are storing these secrets in HashiCorp vault and then using the vault provider to populate a data variable:

   provider "vault" {
    ...
   }
   data "vault_generic_secret" "secret" {
     path = "path"
   }
   provider "vsphere" {
     password       = "${data.vault_generic_secret.secret["password"]}"
   }

   You could do the same thing by storing the secret in AWS's secret manager and then using the aws_secretsmanager_secret_version data source (https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret_version.html).

3. You could use a custom run step to retrieve a secret from somewhere, set it as a TF_var environment variable and then execute the terraform plan:

   version: 2
   projects:
   - dir: .
     workflow: custom
   workflows:
     custom:
       plan:
         steps:
         - init
         - run: source ./my-script-to-retrieve-secrets.sh && terraform plan -input=false -refresh -no-color -out $PLANFILE
   

Let me know if that's helpful.

by the way the test drive experience was a hell of a way to demo! 👏

Thanks so much! Great to hear it 😃

[ryuheechul]

Thanks! Your answer is pretty helpful!

I will try what you suggested and will let you know if I encounter any problems.