Creating secrets for multiple repos

Question

Creating secrets for multiple repos

techjacker opened this issue 5 years ago · 2 comments

I'd like to write secrets to several different secrethub repos using the secrethub terraform provider (I'd also like to create these repos using the provider but understand you are already working on this).

My initial plan was to create a service account at the organisation level and pass that as the creds to the provider. This is not possible as service accounts are created at the repo level. It seems the only possible way to achieve what I'm trying to do is to create a robot user account and use those credentials to provision the secrets. Even if you had the ability to pass multiple creds to the provider this would make for quite a cumbersome API I think.

Do you have any recommendations for the approach I should take?

Answer 1 · 2020-05-25T12:15:40.000Z

You're right about creating service accounts on an organization level, we're planning to make this possible in the future.

For now, you can use Terraform's provider alias feature, which would look something like this:

provider "secrethub" {
  alias      = "repo1"
  credential = var.secrethub_credential_1
}

provider "secrethub" {
  alias      = "repo2"
  credential = var.secrethub_credential_2
}

variable "secrethub_credential_1" {}
variable "secrethub_credential_2" {}

resource "secrethub_secret" "secret_1" {
  provider = secrethub.repo_1
  ...
}

resource "secrethub_secret" "secret_2" {
  provider = secrethub.repo_2
  ...
}

Far from ideal, but should work.

Alternatively, you could indeed create an extra user account as you say or you could structure your Terraform projects in a way that one Terraform project only writes to one SecretHub repo.

Answer 2 · 2020-05-26T12:07:59.000Z

OK this helps, thanks very much for your help.