Skip to content

Commit

Permalink
feat: show how to exclude secrets from tf overwriting them (#254)
Browse files Browse the repository at this point in the history
* show how to exclude secrets from tf overwriting them

* fix typo
  • Loading branch information
rauerhans authored Mar 16, 2024
1 parent 80d46a9 commit 4a85f4c
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions pages/deployments/templating.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,35 @@ kind: Secret
stringData:
MY_SECRET: { { configuration.secret } }
```

## Safeguarding Sensitive Configurations in Terraform

In some cases you might want to reserve secrets for manual input in the Plural Console, yet configure others in the Terraform definition of your service.
This example demonstrates the exclusion of certain configuration secrets, such as passwords and usernames, allowing manual entry exclusively within the Plural Console by leveraging Terraform's `ignore_changes` feature.

```tf
resource "plural_service_deployment" "monitoring" {
name = "monitoring"
namespace = "monitoring"
repository = {...}
cluster = {
id = "cluster-id"
}
configuration = {
monitoringRepo = plural_git_repository.monitoring.id
repoUrl = local.repo_url
namespace = kubernetes_namespace.monitoring.metadata[0].name
}
# enter these secrets in the service UI safely without risking the next `terraform apply` overwriting them
lifecycle {
ignore_changes = [
configuration["basicAuthPassword"],
configuration["basicAuthUser"],
]
}
}
```

In this example, sensitive configurations like `basicAuthUser` and `basicAuthPassword` are excluded from Terraform's lifecycle management using the `ignore_changes` parameter.

0 comments on commit 4a85f4c

Please sign in to comment.