Description
Follow up of PR #11, regarding storing the passwords of the User resource in the state and a good solution for storing in repositories:
We're getting an unencrypted string from the HCL. we're then storing it marked sensitive in state which means it won't be visible when the user runs plan/apply but will be stored unencrypted. TF's solution is to use a backend for state that encrypts at rest
https://developer.hashicorp.com/terraform/plugin/best-practices/sensitive-state
which is fine for state but doesn't solve the issue that it is sitting in unencrypted HCL in the repo.
what I'd like to do is use some tool ex: kubeseal to allow the user to encrypt the data in HCL, then provide the decrypt key to us in an env var during a run. if that var is set we use it to decrypt and send to the API. otherwise, we assume it is unencrypted and sent as is.