Secure Storing of User Data

For security measures, avoid storing user credentials in the .tfvars file and state data in the .tfstate file in plain text. See the information below for methods to securely store user data.

Storing User Credentials in Environment Variables

You can pass user credentials to Terraform via the tss_server_url, tss_username, and tss_password environment variables. You must add the prefix TF_VAR_ before these variable names so that Terraform will automatically fetch the values from these environment variables.

Set the environment variables as the following:

For Linux

$ export TF_VAR_tss_username="my_app_user"

$ export TF_VAR_tss_password="Password."

$ export TF_VAR_tss_server_url="https://localhost/SecretServer"

For Windows

> set TF_VAR_tss_username="my_app_user"

> set TF_VAR_tss_password="Password."

> set TF_VAR_tss_server_url="https://localhost/SecretServer"

After setting these environment variables, you no longer need to store credentials in the .tfvars file. You can also execute terraform apply or terraform plan commands.

Ephemeral Resource Support for Improved Security

The Terraform provider now supports ephemeral resources using the latest Terraform Plugin Framework. Ephemeral resources are temporary, short-lived entities created during the execution of the terraform application operation. They are not persisted in the Terraform state file or any other Terraform-managed storage, offering enhanced security for managing sensitive data such as username, passwords, and API tokens.

Usage Example

To use ephemeral resources in your Terraform configuration, define them using the ephemeral block type. For instance:

ephemeral "tss_secret" "my_username" {
id    = var.tss_secret_id
field = "username"
}
ephemeral "tss_secret" "my_password" {
id    = var.tss_secret_id
field = "password"
}

These values can be dynamically injected into other Terraform resources:

resource "print_resource" "print_username" {
secret = ephemeral.tss_secret.my_username.secret_value
}
resource "print_resource" "print_usernames" {
secret = ephemeral.tss_secrets.my_usernames.secrets
}

Sample Terraform files demonstrating the use of ephemeral resources are available in the terraform-provider-tss/examples/secrets directory for reference. For more details and examples on using ephemeral resources, seeEphemeral Resource Support for Improved Security.

This enhancement is particularly valuable in dynamic infrastructure environments where secrets must be accessed securely and temporarily during provisioning.