Page MenuHomeDevCentral
Differential D3926

Don't store Terraform state and always rotate secrets
ClosedPublic
Actions

Authored by dereckson on Sun, Feb 8, 13:01.

Details

Reviewers
dereckson
Commits
rOPSb7fcb1aa0342: Don't store Terraform state and always rotate secrets
Summary

The Terraform state goal is to track resources last deployed state.

For Vault, it doesn't matter as the current provider write objects
using a create-or-update API, so the policies, auth methods and kv
objects can be reprovisionned without breaking anything.

Also, Vault recommends secret rotation, we've an opportunity here
to easily do that by creating with make rotate an atomic transaction
where we update all secret_id through Terraform then update
the configuration files with Salt.

Finally, secrets need to be stored in Vault, not Terraform state,
so it makes sense to discard state as temporary working file for
this specific workflow.

Test Plan
  • make rotate
  • Check Terraform output
  • Check Salt output

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Sun, Feb 8, 13:01
dereckson created this revision.
Harbormaster completed remote builds in B6263: Diff 10173.Sun, Feb 8, 13:01
dereckson added a comment.Sun, Feb 8, 13:01

Code review with Claude Sonnet 4.5 gave two improvements to the Makefile: audit log, .PHONY targets.

dereckson updated this revision to Diff 10174.Sun, Feb 8, 13:17

Fix AUDIT_LOG variable

Harbormaster completed remote builds in B6264: Diff 10174.Sun, Feb 8, 13:17
dereckson accepted this revision.Sun, Feb 8, 13:18
This revision is now accepted and ready to land.Sun, Feb 8, 13:18
Closed by commit rOPSb7fcb1aa0342: Don't store Terraform state and always rotate secrets (authored by dereckson). · Explain WhySun, Feb 8, 13:21
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPSb7fcb1aa0342: Don't store Terraform state and always rotate secrets.

Revision Contents
Changeset List

PathSize
roles/
reports/
rhyne-wyse/
2 lines
viperserv/
eggdrop/
2 lines
terraform/
11 lines
openbao/
27 lines
modules/
app_credentials/
6 lines

Diff 10177

View Options

roles/reports/rhyne-wyse/config.sls

Loading...
View Options

roles/viperserv/eggdrop/config.sls

Loading...
View Options

terraform/README.md

Loading...
View Options

terraform/openbao/Makefile

Loading...
View Options

terraform/openbao/modules/app_credentials/main.tf

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator