How to set sensitive parameter in azurerm_api_connection in Terraform
I am creating an API connection in Azure to send email via Terraform. I need to set, teorically, the password to send the email. I am following this documentation:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_connection
Here the code I am using:
resource "azurerm_api_connection" "noreply_email_api" {
...
parameter_values = {
serverAddress: "xxx",
userName: "yyy",
port: 123,
enableSSL: true,
password: "zzzz"
}
lifecycle {
# NOTE: since the connectionString is a secure value it's not returned from the API
ignore_changes = [ parameter_values ]
}
}
Almast everything works correctly... except the password. Here the code I get when I run the code:
"nonSecretParameterValues": {
"enableSSL": "true",
"port": "123",
"serverAddress": "xxx",
"userName": "yyy"
},
That seems correct. Infact, if I compare this result with an API connection I created by hands, the full code is exactly the same. There is no section for sensitive data.
But when I see the properties of the connection I see the password is not set:
How can I set the password of the connection?
Thank you
I have tried the similar code to create Api connection using connection string:
resource "azurerm_api_connection" "example" {
name = "kaexample-connection"
resource_group_name = data.azurerm_resource_group.example.name
managed_api_id = data.azurerm_managed_api.example.id
display_name = "Example 1"
parameter_values = {
connectionString = azurerm_servicebus_namespace.example.default_primary_connection_string
}
tags = {
Hello = "World"
}
lifecycle {
# NOTE: since the connectionString is a secure value it's not returned from the API
ignore_changes = [parameter_values]
}
}
But its value did not appear in the api connection properties:
You can store the password value in keyvault ,as it is secure:
resource "azurerm_key_vault_secret" "password_one" {
name = "SBconnectionstring"
value = azurerm_servicebus_namespace.example.default_primary_connection_string
key_vault_id = azurerm_key_vault.example.id
}
output "conn" {
value = azurerm_key_vault_secret.password_one.value
sensitive = true
}
Apply complete! Resources: 2 added, 1 changed, 0 destroyed.
Outputs:
conn = <sensitive>
connstr = tomap({})
These are sensitive values, hence they are updated in the backend as securestring and not exposed in the portal itself.
As now the value is stored in keyvault, you can access it and check the vaule
You can check this Azure synapse linked service for Azure Function in Terraform - Stack Overflow , where linked service uses SecureString type to define the secrets through json code.
and give password with type securestring:
Below sample code from api-connection-username-and-password-in-arm-template
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {
"connections_sql_name": {
"type": "string",
"defaultValue": "connections_sql_name"
},
"sql_server": {
"type": "string",
"defaultValue": "server201-dev-sql.database.windows.net"
},
"sql_database": {
"type": "string",
"defaultValue": "Incidents"
},
"sql_authType": {
"type": "string",
"defaultValue": "Windows"
},
"username": {
"type": "securestring",
},
"password": {
"type": "securestring"
} }, "variables": {}, "resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_sql_name')]",
"location": "westeurope",
"properties": {
"displayName": "Test Connection Name",
"parameterValues": {
"server": "[parameters('sql_server')]",
"database": "[parameters('sql_database')]",
"authType": "[parameters('sql_authType')]",
"userName": "[parameters('username')]",
"password": "[parameters('password')]"
},
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionID, '/providers/Microsoft.Web/locations/westeurope/managedApis/sql')]"
}
}
} ] }