Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Lock on secrets #24

Open
a-nldisr opened this issue Sep 8, 2022 · 4 comments
Open

Feature: Lock on secrets #24

a-nldisr opened this issue Sep 8, 2022 · 4 comments

Comments

@a-nldisr
Copy link

a-nldisr commented Sep 8, 2022
edited
Loading

Feature request:

In the Doppler interface, you can place locks on secrets, it would be nice to set locks on secrets from the Terraform provider to ensure removing/changing a resource doesn't cause accidental removal.

Example

resource "doppler_secret" "db_password" {
  project = "backend"
  config = "dev"
  name = "DB_PASSWORD"
  value = random_password.db_password.result

  lock = true
}

To be able to remove the resource the lock = true needs to be changed to false
@a-nldisr
Copy link
Author

a-nldisr commented Apr 6, 2023

Update: Locks are not present on secrets directly, they need to be done on branch configs.

@nmanoogian
Copy link
Member

Hey @a-nldisr! Thanks for writing in about this. We've gotten feedback from other users that it would be handy to mark certain secrets as "Terraform managed" so that they can't be modified outside of Terraform. Is this what you're aiming to do?

...it would be nice to set locks on secrets from the Terraform provider to ensure removing/changing a resource doesn't cause accidental removal.

Can you expand on this a bit? I'm not sure if there's a way we could design the provider such that removing or changing a resource doesn't remove the corresponding object in Doppler. Even using locks at the config level, you would still be able to remove the config by unlocking it first.

@a-nldisr
Copy link
Author

a-nldisr commented Apr 6, 2023
edited
Loading

Hi @nmanoogian! Comments would be greatly appreciated, but would like to use the lock:
image

In general when you use this feature in cloud resources, you need to first remove the lock and afterward you can update or delete the secret. We have a few secrets we want to place only in Doppler and nowhere else, and it would be costly if these would be lost due to a terraform mistake.
A workflow would look like:
Remove lock from code > run terraform > adjust config > run terraform > config deleted
Current workflow is:
adjust config > run terraform > config deleted

Lock would give some safety mechanisms on configs which are important.

@nmanoogian
Copy link
Member

Ah, I see! Thank you for walking me through that. The strategy of needing to update the resource twice to perform a deletion makes sense. I'll pass this along to our product team!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a-nldisr @nmanoogian