Resource "aws_iam_access_key" stores access & secret key in .tfstate

[Philip M]

I want to use terraform to manage all our AWS IAM user accounts.

After creating a few test user accounts, I see that the access key, secret key, and ses password are all stored in the terraform .tfstate file.

This is really insecure, as many times these files get submitted to git repos or uploaded to s3 buckets.

I worked around this by manually deleting the Secret Key and SES password from the terraform.tfstate file.

This allows terraform to still be happy about knowing the access key, while not knowing the secrets.

You might want to not allow storing the secret key at all.

Thanks,

Philip

[David Adams]

Agreed that this is poor behavior. I hope there's something in the works to be able to exclude these from the state file. Beyond secrets it would be nice if we could specify to ignore certain fields altogether from the state. Like ELB and ASG member instances for autoscaling purposes, I don't specify the instances, and don't want temporary instance IDs cluttering up the state file and causing merge conflict potential.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ccc09577-4226-4af0-871f-1368a4000c9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

David Adams | Systems Administrator

E: dad...@instructure.com

[shorn....@gmail.com]

I do the basic user management of our AWS IAM accounts with TF, but I do authentication stuff (configuring password management, initial password, etc.) manually using the console.

It's a bit of a pain - you have to make sure you delete the auth stuff using the console before you can delete the user using TF.

But it keeps the tfstate file clear of IAM authentication information.

Just wish I could figure a way to keep the RDS master password out of there (short of editing the tfstate file, though it may come to that soon).

[shorn....@gmail.com]

>  it would be nice if we could specify to ignore certain fields altogether from the state.

Yes, I'd really like that too.  

I want to be able to tell TF to not store the RDS password in the state file and then pass it in as a variable.