Handling secrets

[kaihendry]

Say I have something like:

amends "TerraformConfig.pkl"
terraform_version = "1"

terraform {
  ssm_parameters {
    new {
      name = "/my-app/api-key"
      description = "API key for a third-party service"
      type = "SecureString"
      value = "kensentme"
      tags {
        ["project"] = "my-app"
      }
    }
  }
}

How do I best handle that secret value? Ideally it could be populated maybe via a Github workflow, e.g. ${{ secrets.api-key }}, but I am not sure how to interpolate that in a pkl workflow. Any suggestions please?

[HT154]

The simple way to do this is to read the value from the environment or an external property:

myProp = read("prop:apikey")
myEnv = read("env:APIKEY")

A more complex (but more secure) way to do this is using an external reader to directly connect to some secret store without potentially exposing secrets via CLI args or the environment.

[kaihendry]

Thanks, I ended up implementing a Pkl to Terraform POC https://github.com/kaihendry/terraform-config