How to set sensitive parameter in azurerm_api_connection in Terraform
I am creating an API connection in Azure to send email via Terraform. I need to set, teorically, the password to send the email. I am following this documentation:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_connection
Here the code I am using:
resource "azurerm_api_connection" "noreply_email_api" {
...
parameter_values = {
serverAddress: "xxx",
userName: "yyy",
port: 123,
enableSSL: true,
password: "zzzz"
}
lifecycle {
# NOTE: since the connectionString is a secure value it's not returned from the API
ignore_changes = [ parameter_values ]
}
}
Almast everything works correctly... except the password. Here the code I get when I run the code:
"nonSecretParameterValues": {
"enableSSL": "true",
"port": "123",
"serverAddress": "xxx",
"userName": "yyy"
},
That seems correct. Infact, if I compare this result with an API connection I created by hands, the full code is exactly the same. There is no section for sensitive data.
But when I see the properties of the connection I see the password is not set:
How can I set the password of the connection?
Thank you
I have tried the similar code to create Api connection using connection string:
resource "azurerm_api_connection" "example" {
name = "kaexample-connection"
resource_group_name = data.azurerm_resource_group.example.name
managed_api_id = data.azurerm_managed_api.example.id
display_name = "Example 1"
parameter_values = {
connectionString = azurerm_servicebus_namespace.example.default_primary_connection_string
}
tags = {
Hello = "World"
}
lifecycle {
# NOTE: since the connectionString is a secure value it's not returned from the API
ignore_changes = [parameter_values]
}
}
But its value did not appear in the api connection properties:
You can store the password value in keyvault ,as it is secure:
resource "azurerm_key_vault_secret" "password_one" {
name = "SBconnectionstring"
value = azurerm_servicebus_namespace.example.default_primary_connection_string
key_vault_id = azurerm_key_vault.example.id
}
output "conn" {
value = azurerm_key_vault_secret.password_one.value
sensitive = true
}
Apply complete! Resources: 2 added, 1 changed, 0 destroyed.
Outputs:
conn = <sensitive>
connstr = tomap({})
These are sensitive values, hence they are updated in the backend as securestring and not exposed in the portal itself.
As now the value is stored in keyvault, you can access it and check the vaule
You can check this Azure synapse linked service for Azure Function in Terraform - Stack Overflow , where linked service uses SecureString type to define the secrets through json code.
and give password with type securestring:
Below sample code from api-connection-username-and-password-in-arm-template
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {
"connections_sql_name": {
"type": "string",
"defaultValue": "connections_sql_name"
},
"sql_server": {
"type": "string",
"defaultValue": "server201-dev-sql.database.windows.net"
},
"sql_database": {
"type": "string",
"defaultValue": "Incidents"
},
"sql_authType": {
"type": "string",
"defaultValue": "Windows"
},
"username": {
"type": "securestring",
},
"password": {
"type": "securestring"
} }, "variables": {}, "resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_sql_name')]",
"location": "westeurope",
"properties": {
"displayName": "Test Connection Name",
"parameterValues": {
"server": "[parameters('sql_server')]",
"database": "[parameters('sql_database')]",
"authType": "[parameters('sql_authType')]",
"userName": "[parameters('username')]",
"password": "[parameters('password')]"
},
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionID, '/providers/Microsoft.Web/locations/westeurope/managedApis/sql')]"
}
}
} ] }
- How to install multiple or two versions of Terraform?
- Terraform will damage your computer on macOS Intel
- Upgrade terraform to specific version
- Should I commit my .terraform-version file?
- Terraform code not creating multiple rules in Azure Storage lifecycle
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- How to output URL of Azure Logic Apps with Terraform?
- Terraform fails to import key pair with Amazon EC2
- Check if the resource exists before using data
- Invalid arn error for terraform code with kms data resource
- Nat Gateway Profile for AKS using terraform
- Can I use helm for fire and forget k8s Jobs?
- Does AWS VPC Endpoint require subnets?
- Maps containing keys with spaces are not properly validated when those keys are used as resource names
- Adding additional storage to VM with terraform
- EC2 can't get a public ip address after stop-start
- Terraform Cloud Run Service URL
- Can I use condition's variable in the error_message of a Terraform variable validation?
- OPA eval command
- Rancher - controlplane node got into worker pool
- Terraform for-each with list of objects
- Timezone error creating SQL instance in Azure using Terraform
- Terraform shows `InvalidGroup.NotFound` while creating an EC2 instance
- How can I use Terraform to run a script to initialise the database on a newly-created Azure mssql_virtual_machine?
- 'terraform plan' NOT updating state file
- Pass a Terraform Output to an Azure DevOps Varibale
- Terraform outputs 'Error: Variables not allowed' when doing a plan
- terraform conditional resource creation for_each and list
- How to get the "Function Url" which is with in a Function-App deployed using Terraform?
- Unable to ping azure vm1 to azure vm2