Support saltpack for encrypted secrets

[chrs-myrs]

Current Terraform Version

Terraform v1.2.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.75.2
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/random v3.3.2
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/tls v4.0.1

Use-cases

Currently certain passwords can be PGP encrypted using a key or keybase username. The keybase username is a great solution, however it outputs a base64 encoded secret, which the Keybase UI is usable to decode. Trying to share database passwords with non-developer users is rather painful at present.

Attempted Solutions

We can decode using the terminal, but this is not helpful for sharing secrets with less technical users, especially as base64 decoding under windows is not trivial.

Proposal

Allow encoding of passwords into saltpack, which is the PGP message format that Keybase uses natively. This would allow a user with no CLI knowledge to decrypt a password using the Keybase UI.

References

https://saltpack.org/
#31045

[apparentlymart]

Hi @chrs-myrs!

I think you're describing a behavior used by some providers, which Terraform Core (the codebase in this repository) is not directly involved with. Specifically, I think you're talking about the design pattern which seems to be documented only in a recommendation to not use it for new designs in the plugin SDK documentation. 🤔

Since this is a provider behavior rather than a Terraform Core behavior, I would normally suggest opening an issue in the relevant provider's own repository to discuss it, but of course with that recommendation against using this pattern in new designs the developers of that provider probably consider the features you are relying on to be deprecated or otherwise legacy and so may not wish to invest in them further. 😖 Still, it can't hurt to share your use-case and see if the provider developers have ideas for other ways to solve it!

Because we use issues in this repository only to represent changes to Terraform CLI and Terraform Core, I'm going to close this issue. Thanks for raising it, nonetheless!

(The SDK documentation I linked to also contains a link to an issue elsewhere in this repository tracking the possibility of somehow storing sensitive values differently in the Terraform state as a core feature. So far there hasn't been a design for that which thoroughly addresses the problem without breaking the main Terraform workflow, and so that issue is mainly for collecting feedback and new design ideas right now.)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.