-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: Using terraform together with infisical login. #36
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left two comments!
I think this looks good, two things
- As you mentioned yourself, we should rebase this with main before merging
- I think it's a good idea to just double-check and test that everything is working with user-based and machine identity-based auth
credentialsValue, err := GetValueInKeyring(userEmail) | ||
if err != nil { | ||
if err == keyring.ErrUnsupportedPlatform { | ||
return UserCredentials{}, errors.New("your OS does not support keyring. Consider using a service token https://infisical.com/docs/documentation/platform/token") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's point users towards machine identities instead of service tokens
@@ -140,7 +140,7 @@ func (d *SecretsDataSource) Read(ctx context.Context, req datasource.ReadRequest | |||
for _, secret := range plainTextSecrets { | |||
data.Secrets[secret.Key] = InfisicalSecretDetails{Value: types.StringValue(secret.Value), Comment: types.StringValue(secret.Comment), SecretType: types.StringValue(secret.Type)} | |||
} | |||
} else if d.client.Config.AuthStrategy == infisical.AuthStrategy.UNIVERSAL_MACHINE_IDENTITY { | |||
} else if d.client.Config.AuthStrategy == infisical.AuthStrategy.UNIVERSAL_MACHINE_IDENTITY || d.client.Config.AuthStrategy == infisical.AuthStrategy.USER_PROFILE { | |||
secrets, err := d.client.GetRawSecrets(data.FolderPath.ValueString(), data.EnvSlug.ValueString(), data.WorkspaceId.ValueString()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GetRawSecrets()
will fail here because inside the function we are doing a if machine identity client ID & client secret is empty, throw error
So currently this doesn't factor in the case where the user is using user-based auth
This PR enabled users to use terraform with Infisical CLI. It checks for machine identity, then service token and then finally checks for the keyring saved from infisical CLI.
User's must pass a profile argument or env
INFISICAL_USER_PROFILE
to ensure the right one is picked from keyring. (In future when you have multiple profiles in via cli login).This improves ux as user's don't have to maintain the identity token for each project user and also good audit log.