如何在 terraform 中提取敏感的输出变量? [英] How to extract sensitive output variables in terraform?

问题描述

我有一个 terraform 配置，它使用访问密钥创建一个 AWS IAM 用户，并将 id 和 secret 分配给输出变量:

I have a terraform config which creates an AWS IAM user with an access key, and I assign both id and secret to output variables:

...

resource "aws_iam_access_key" "brand_new_user" {
  user = aws_iam_user.brand_new_user.name
}

output "brand_new_user_id" {
  value = aws_iam_access_key.brand_new_user.id
}

output "brand_new_user_secret" {
  value     = aws_iam_access_key.brand_new_user.encrypted_secret
  sensitive = true
}

这里 brand_new_user_secret 被声明为敏感的，所以 terraform output 显然不会打印它.

Here brand_new_user_secret is declared as sensitive, so terraform output obviously does not print it.

有没有办法在不解析整个状态文件的情况下获得它的输出值?尝试直接访问它(terraform output brand_new_user_secret)不起作用(导致错误在状态文件中找不到请求的输出变量...").

Is there any way to get its output value without parsing the whole state file? Trying to access it directly (terraform output brand_new_user_secret) does not work (results in an error "The output variable requested could not be found in the state file...").

Terraform 版本:0.12.18

Terraform version: 0.12.18

推荐答案

我有一些希望避免它，但到目前为止我没有找到比解析 terraform state 更好的方法:

I had some hopes to avoid it, but so far I did not find a better way than parse terraform state:

terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes'

这将导致类似于以下的结构:

which would result in a structure similar to:

{
  "encrypted_secret": null,
  "id": "....",
  "key_fingerprint": null,
  "pgp_key": null,
  "secret": "....",
  "ses_smtp_password": "....",
  "ses_smtp_password_v4": null,
  "status": "Active",
  "user": "...."
}

这篇关于如何在 terraform 中提取敏感的输出变量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！