[Feature]: Support write-only password attributes in storage-boxes subaccounts #1299
Description
What whould you like to see?
Hello :)
Recently Opentofu support ephemeral ressources (available in terraform since 1.10), so I try to make a subaccounts in my storage box for each vm I have create.
Because we can add an SSH key on a storage box subaccounts via API, I generate a random password, store it into my vault, then I run a playbook to install and configure borgmatic (using password stored in vault).
data "hcloud_storage_box" "backup" {
name = "backup"
}
ephemeral "random_password" "backup_password" {
for_each = var.incus_servers
length = 128
special = true
override_special = "ÄÖÜäöü^°!§$%/()=?+#-.,;:~*@{}_&"
}
resource "vault_kv_secret_v2" "db_root" {
for_each = var.incus_servers
mount = var.vault_kv_engine
name = "storage-boxes/${each.key}"
data_json_wo = jsonencode(
{
password = ephemeral.random_password.backup_password[each.key].result
}
)
}
resource "hcloud_storage_box_subaccount" "team_badger" {
for_each = var.incus_servers
storage_box_id = data.hcloud_storage_box.backup.id
description = each.key
home_directory = "borg/${each.key}"
password = ephemeral.random_password.backup_password[each.key].result
access_settings = {
reachable_externally = true
ssh_enabled = true
}
labels = {
env = "production"
tool = "terraform"
}
}But terraform send this error
Attribute ".password" is referencing an ephemeral value but ephemeral values can be referenced only by other ephemeral attributes or by write-only ones.
Vault provider (for exemple) add an attribute name data_json_wo instead of data_json to write only and don't log anywhere the password.
So, I think for a fully and securelly automation, a password_wo attribute can be amazing !
Thank :)
Have a nice day