Template Credentials Resource about terraform-provider-transloadit HOT 16 CLOSED

@Kaelten , I just released 0.6.0 version. Documentation for new resource : https://registry.terraform.io/providers/transloadit/transloadit/latest/docs/resources/template_credential

from terraform-provider-transloadit.

Thanks for the context Bryan, that is very helpful. I'll take this up with the team and give you an answer about the api side next week 👌

from terraform-provider-transloadit.

Hi @Kaelten! We're currently in the process of writing a blog post about this use-case. Is it alright if we quote a few of your points from this issue (and also send you a draft of the blog post before it's released for your review)?

Not a problem at all. Feel free to email it to me, you guys should have my work address on file. :)

from terraform-provider-transloadit.

I'll email you now :)

from terraform-provider-transloadit.

Agreed!

@tim-kos do we have an api endpoint for this already?

from terraform-provider-transloadit.

It seems we do not have Template Credentials support with our API, so that would be the first step before the Terraform provider could be updated to support that as well.

We first need to take a step back and consider if it is even desirable to support automation here. I think it is, but i don't want to risk an oversight on my part.

Just wanted to update you already and let you know this feature request may take some more time.

from terraform-provider-transloadit.

We first need to take a step back and consider if it is even desirable to support automation here. I think it is, but i don't want to risk an oversight on my part.

From where I sit, it absolutely is a desirable action. I've used a similar pattern to handle secrets with other partners as well.

Here's my situation/thoughts:

• IAM users are a risk and should only be used when there are no other options.
• IAM access keys are secrets and thus have to be handled carefully.
• The fewer people who have the ability to see an IAM key the better, less rotations needed, etc.
• Nothing to do with infrastructure should be manual, this breaks ability to move quickly or rebuild in the case of disaster.
• If it's worth doing, it's worth automating.

Given the above, the general pattern I have is that iam keys (and other secrets) are generated by terraform and then stored directly where they're needed. Places like CI variables and in this case our new transloadit templates. To mitigate risks associated with generating IAM keys in terraform we have the terraform state setup in a secure and remote place that requires special permissions to gain access to it at all.

However, the current implementation here leaves us with two less-than-ideal choices:

1. We break our principals around automation and manually create the IAM keys that then have to get copied over to transloadit's UI by hand. This process itself would increase the number of people who need to have access to the secret as well as force more people to see it. Neither is good.
2. We inject the secrets into the templates as they're generated in terraform. This preserves automation, but makes anyone who can see the template definition as someone who can also see the secrets as they're stored in plain text. They'd have to go out of their way to see them, but it's still possible.

In our situation, I've sided with number 2 as I'm prioritizing automation and reliability above the likelihood that anyone who would have access to the templates would abuse the keys (least-privilege permission sets also make it unlikely that the keys are abusable).

If we could create and maintain the credentials via terraform/api it'd give us a significantly better balance of concerns. I'd be happy to debate the specifics further if it's of value. :)

Just wanted to update you already and let you know this feature request may take some more time.

Completely understand, and in the short term I'll continue to use the second option from above. However, as a customer who's looking to move thousands of monthly dollars worth of transcoding jobs over to transloadit and building new features atop the platform, I'll continue to push for a better situation. ;)

from terraform-provider-transloadit.

Hi Bryan just to follow up, there is a basic endpoint in our api for the credentials. I played around with it but there are still some pieces missing, as well as internal discussion to be had about the final interface. It will take some more time to get it 💯 I'm thinking weeks not months though.

from terraform-provider-transloadit.

Hi Bryan just to follow up, there is a basic endpoint in our api for the credentials. I transloadit/node-sdk#141 around with it but there are still some pieces missing, as well as internal discussion to be had about the final interface. It will take some more time to get it 💯 I'm thinking weeks not months though.

Thanks for the update!

from terraform-provider-transloadit.

The desired changes to the API are in CI now. After green light we can trickle them down into our Go SDK -> Terraform Provider Plugin releases

from terraform-provider-transloadit.

The changes to the Credential API are live now so we can roll this out in the Go SDK

from terraform-provider-transloadit.

we can roll this out in the Go SDK

Will @Etienne-Carriere take on this as they already started transloadit/go-sdk#32?

from terraform-provider-transloadit.

Seems like things are making good progress. Any word on when we'll see this in the provider?

from terraform-provider-transloadit.

Was able to adopt it today! Thanks!

from terraform-provider-transloadit.

Hi @Kaelten! We're currently in the process of writing a blog post about this use-case. Is it alright if we quote a few of your points from this issue (and also send you a draft of the blog post before it's released for your review)?

from terraform-provider-transloadit.

Not a problem at all. Feel free to email it to me, you guys should have my work address on file. :)

Tried finding you by company name, surname, handle, but no matches 🤷 also tried twitter, li, & friends, but no dice :) can you please ping [email protected]?

from terraform-provider-transloadit.