-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault_token: add pgp_key support #686
vault_token: add pgp_key support #686
Conversation
Signed-off-by: Yoan Blanc <[email protected]>
Signed-off-by: Yoan Blanc <[email protected]>
Signed-off-by: Yoan Blanc <[email protected]>
The default value being true, it should simply ignore it when gpg is used. Signed-off-by: Yoan Blanc <[email protected]>
Signed-off-by: Yoan Blanc <[email protected]>
This is an interesting PR! We haven't had anything like it before. There's a discussion here about a very similar feature. I'm going to read that through and think about it carefully before I do an initial pass of this PR. Thanks for submitting this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! I had the opportunity to think about this more, and to pull it down and play with it a little. It's very cool! I could see that it does what it intends, of course, encrypting the client token if you point it at a Keybase public key to use.
I was almost tempted to ask that we do this at the provider level for all sensitive fields. But I think for now we'll just give this a spin here and if it become popular, consider moving to that.
Thank you adding this!
* vault_token: add pgp_key support Signed-off-by: Yoan Blanc <[email protected]> * update vendor Signed-off-by: Yoan Blanc <[email protected]> * fixup! vault_token: add pgp_key support Signed-off-by: Yoan Blanc <[email protected]> * vault_token: conflicts with renewable doesn't work The default value being true, it should simply ignore it when gpg is used. Signed-off-by: Yoan Blanc <[email protected]> * token: test and docs Signed-off-by: Yoan Blanc <[email protected]>
The goal is to mimic what has been done for Consul, https://github.com/terraform-providers/terraform-provider-consul/blob/master/consul/data_source_consul_acl_token_secret_id.go
Being able to encrypt the
client_token
via a GPG (public) key would be really helpful for us.Let me know when I should start investing energy into acceptance tests and documentation.
Cheers,
Community Note
Relates OR Closes #0000
Release note for CHANGELOG:
Output from acceptance testing: