I've got 2 options to pass creds to terraform provider:
FOO_PROVIDER_USERNAME & FOO_PROVIDER_PASSWORD. Update: and read them from ENV in a source code of a provider so there's no username / password vars in *.tf files.provider "foocloud" {
username = "[email protected]"
password = "coolpass"
}
Shall I pick #1 or #2? My concern about #2 is that those username / password might be saved to a state file which is a security concern.
EDIT: this is typically for managing secrets in resources:
A few weeks ago, I came across this great article by Yevgeniy Brikman:
Out of the two options you mention, go with option 1 (like you said, option 2 will write them to the state file) but you should set the variables as sensitive.
Example:
# main.tf
resource "foocloud" {
name = "foobar"
username = var.username
password = var.password
}
# variables.tf
variable "username" {
description = "foobar"
type = string
sensitive = true
}
variable "password" {
description = "foobar"
type = string
sensitive = true
}
# command line or in text file
export TF_VAR_username=foo
export TF_VAR_password=bar
EDIT: in the case of authentication to cloud providers such as AWS you can use the credentials files among other options, as explained here:
https://blog.gruntwork.io/authenticating-to-aws-with-the-credentials-file-d16c0fbcbf9e