Exclude *.tfvars files #3452
Merged
Exclude *.tfvars files #3452
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I have no horse in this race, but I'll ask for feedback from the people who were involved with #2650 to see if they agree with the changes proposed... |
|
@kevincloud You really don't want to put sensitive values in any TF file, vars or otherwise. Those values should come from environment variables. |
|
Hi @jkodroff, I'm a Sr. Solutions Engineer at HashiCorp. Our official stance is that tfvars files should never be put into VCS. Users are given the choice of using tfvars files, environment variables, etc, and there are many valid reasons why users need to use tfvars files for secrets as opposed to environment variables. Environment variables actually take the lowest precendence for Terraform values. |
|
Ok. That's good enough for me.
…On Mon, Jul 6, 2020 at 3:21 PM Kevin Cochran ***@***.***> wrote:
Hi @jkodroff <https://github.com/jkodroff>, I'm a Sr. Solutions Engineer
at HashiCorp. Our official stance
<https://www.terraform.io/docs/cloud/workspaces/variables.html#terraform-variables>
is that tfvars files should never be put into VCS. Users are given the
choice of using tfvars files, environment variables, etc, and there are
many valid reasons why users need to use tfvars files for secrets as
opposed to environment variables. Environment variables actually take the lowest
precendence
<https://www.terraform.io/docs/configuration/variables.html#variable-definition-precedence>
for Terraform values.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3452 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADEH5SMM5TPUUERZ4NERW3R2IP47ANCNFSM4OHZOAVA>
.
|
shiftkey
approved these changes
Jul 7, 2020
There was a problem hiding this comment.
Thanks for the contribution @kevincloud and the discussion @jkodroff!
|
Please note that the advice @kevincloud linked to is specifically for Terraform Cloud/Enterprise and does not apply to folks using Terraform CLI directly. What I said in my previous comment still holds for the general case. It's a shame that the Terraform Cloud documentation is making assertions about usage of Terraform outside of Terraform Cloud. In particular, my previous comment mentioned "if a particular user knows that |
|
@shiftkey Oh no! Now I'm back on the fence! (@apparentlymart writes a lot of Terraform and I would not take his opinion lightly.) |
|
Hi @apparentlymart, @jkodroff! Actually, if you read the reference for our official stance, the very last sentence in that section specifically calls out:
This is how we train our customers in our OSS workshops. As I mentioned before, the
|
ANRCorleone
pushed a commit
to ANRCorleone/gitignore
that referenced
this pull request
Jul 24, 2020
* Update Node.gitignore (github#3264) * Added gitignore for GNOME Extension (github#3268) * [Unity] Fix ignore Jetbrains plugin folder (github#3266) Add missing slash to make pattern accurate, since the JetBrains folder is always relative to root assets folder. * added Coverlet result files as a Code Coverage Tool (github#3252) * Ignore files inside `.vscode-test` (github#3256) * Ignore files inside `.vscode-test` [vscode-test](https://github.com/microsoft/vscode-test) is a testing framework for vscode extensions. Inside the `vscode-test` folder are stored one or more versions of vscode, which are used for testing a vscode extension. * Update Node.gitignore * Added a comment why MemoryCaptures get excluded (github#3276) * Update Autotools.gitignore (github#3271) * TeX: Ignore REVTeX generated Notes.bib files (github#3286) * [Godot] Ignore imported translations (github#3269) The Godot editor automatically creates those binary files from translations in CSV format. There's no need to add them to version control. * Update PureScript adding .spago (github#3278) * [Global/Eclipse] Make .project opt-in (github#3305) The project description file. * Ignore .pytype/ directory (github#3301) pytype is a static type analyzer for Python code; it generates files of inferred type information, located by default in .pytype/pyi. * Update Unity.gitignore (github#3297) Unity 2020 introduces a new "UserSettings" top-level project folder. See https://forum.unity.com/threads/whats-the-usersettings-directory.754436/ for more information. * Update concrete5 gitignore (github#3176) * [Python] .python-version should NOT be ignored (github#3274) * Add Umbraco V8 packages folder location (github#3302) In Umbraco v8 we have a new packages folder located under Umbraco/views/packages/... This gets ignored by the current version. Adding this new line prevents this and includes all files and subfolders under this new location. * add alternative sftp settings file (github#3006) * add alternative sftp settings file * update for possible multiple alt* numbered files * add in global metals (github#3296) * Add snowpack dependency directory (github#3315) * Add `cover/` to Python.gitignore. (github#3310) * Changes the name of Perl 6 to Raku (github#3312) Since October 2019, Raku is the name of the language formerly known as Perl 6. This reflects the change. It's the same language, so changes are mostly cosmetic. * Add ignore to umbraco folder (github#3307) Add ignore to umbraco folder as it will be added by Install-Package UmbracoCms or updated by Update-Package UmbracoCms * Remote typings ignore from node gitignore (github#3319) Similar to github#2608, it's the defacto tsc way now for adding typings locally. * Changed TeX to not ignore tikz files by default. (github#3320) * Include Rider as a supported IDE (github#3323) AS far as I can tell this .gitignore also applies to Rider. Looking at the somewhat official .gitignore for Rider [here](https://github.com/JetBrains/resharper-rider-samples/blob/master/.gitignore), it seems compatible. * Add period. (github#3336) * Update for Prestashop 1.7 (github#3261) * Jigsaw (github#3334) * update parcel cache (github#3331) * Update Drupal.gitignore (github#3329) * Add /public/uploads for file upload gem Shrine (github#3333) When using a file upload gem called Shrine, its file system mode put images under `public/uploads`. https://github.com/shrinerb/shrine/blob/053bcf297e092e9695731fb9b67a86780e898203/doc/storage/file_system.md * Ignore Cython debug symbols (github#3330) Cython extension modules built with `gdb_debug=True` spit out debug symbols in the `cython_debug` directory at the top level of the project. The files in this directory contain hardcoded paths and are not shareable/meaningful across environments, so I think it makes sense to include them in a default Python .gitignore. * Improved JENKINS_HOME example (github#3332) After years of use I've come up with some improvements to the `JENKINS_HOME.gitignore` example. - Major performance improvement: On very large Jenkins installations that have been running for more than one year, there tends to be many builds (hundreds of thousands of builds). The `builds` directory of these jobs contain millions of files which would cause Git to hang for several minutes on simple commands like `git status` and longer for committing changes. `strace` was used on Git to figure out the performance impact and this proposed change includes the optimization. I also added a clear comment explaining the line's purpose. - There's an example for how to include Jenkins encryption keys, and there's a disclaimer informing the user why they shouldn't but still giving an example. - Comments have been reworded and slightly reformatted to be a little more clear. * Add Unity's Addressables and Android's temp files. (github#3311) * Added Addressables. Prevent automatically generated addressable files to end up in Git. * Update .gitignore to exclude packed Addressables and Android auto-generated files. * [Node] Add yarn v2 excludes (github#3327) * [VisualStudio] Add rule for ScaffoldingReadMe.txt (github#3328) * Update Autotools.gitignore. (github#3337) Ignore .dirstamp files from automake used for non-existing directory dependencies. * Add Win32/ to gitginore list (github#3308) Visual Studio .Net used Win32/ as one of the default output directories for C and C++ projects. Later, when 64-bit support was added to the toolchain (circa 2005), x64/ was used. The Gitignore files include x64/, but not Win32/. The commit adds support for both Win32/ and x64/. * update README (github#3248) * Extend Qt.gitignore with qmlcache qrc files (github#3322) Projects using QML files generating a temporary qrc file if a qrc file present in the project. * Changes to PyBuilder 0.12+ (github#3338) PyB 0.12 uses `$project_root/.pybuilder/` for internal venvs. * [Python] adding IDE & static related stuff (github#3317) * Update R.gitignore (github#3354) * Ignore Local History folder (github#3008) This will add support for the default location the Local History extension for Visual Studio Code uses. See https://marketplace.visualstudio.com/items?itemName=xyz.local-history * Revert "[Python] adding IDE & static related stuff (github#3317)" (github#3363) This reverts commit e931ef7. * Ignore Terraform CLI configuration files (github#3359) * Ignore AWS Serverless Application Model build folder (github#3357) https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-build.html * Add generated timing files to Coq.gitignore (github#3367) These generated files were added in coq/coq#745 * Remove pip-wheel-metadata/ from Python.gitignore (github#3364) pip generated this folder for a few versions, as part of it's initial implementation of PEP 517. pip has not generated this folder for a few versions now, so it should be OK to remove this from the standard gitignore file. * Ignore Gradle subproject build dir (github#3370) * Add FodyWeavers.xsd to VisualStudio.gitignore (github#3380) * Ignore Next.js `next export` result directory (github#3387) * Dart: Ignore .flutter-plugins (github#3398) Generated files that appear when using 'google_fonts' or other Dart packages designed as Flutter plugins. * Add .yarn/install-state.gz to Node.gitignore (github#3407) After running `yarn set version berry` and `yarn install`, the file `.yarn/install-state.gz` is created. The documentation at https://yarnpkg.com/advanced/qa#which-files-should-be-gitignored mentions that this file should be ignored: > .yarn/install-state.tgz is an optimization file that you shouldn't have to ever commit. It simply stores the exact state of your project so that the next commands can boot without having to resolve your workspaces again. The documentation has a minor error; the generated file is `.gz` instead of `.tgz` (source: https://github.com/yarnpkg/berry/pull/998/files#diff-23dd4c2e823c25186f1107e88e962032R201) * ignore .xwm generated by xwatermark package in TeX (github#3412) * Add *.aab (github#3414) * Fixing target and adding debug to Rust gitignore (github#3436) The problem here was two fold: 1. the folder "/target/" would be top-level of the repo only, it should be "target/" to properly exclude target folders anywhere in the repo 2. the default Rust/Cargo folder when compiling code is "debug/", which gets used perhaps more often that "target/", added that * Fix false positives on Coverage*.cs files (github#3454) I added this .gitignore to a project that included a file named CoverageSearchModel.cs, and the file was wrongly ignored. This change fixes the incorrect use of the range operator on the Coverlet rules. * Update stale heading anchor (github#3445) Co-authored-by: ZhengYuan Loo <[email protected]> * ignore *~ files in the po directory (github#3453) Common IME for `gettext` utilities like `tools::update_pkg_po('.')` to create these temp files (at least on Mac) * ignore HPROF files (github#3456) * Exclude *.tfvars files (github#3452) Co-authored-by: Kevin Cochran <[email protected]> * Remove pointless blank line from the beginning of the Godot file (github#3466) * KiCad: add *.kicad_sch-bak and *.kicad_prl (github#3427) * KiCad: add *.kicad_sch-bak As used by the new file formats for KiCad 6.0 See https://kicad-pcb.org/blog/2020/05/Development-Highlight-New-schematic-and-symbol-library-file-formats-are-now-the-default/ * Add *.kicad_prl to KiCad.gitignore More info: https://forum.kicad.info/t/new-project-file-format/23705 Co-authored-by: anishagg17 <[email protected]> Co-authored-by: Pellegrino Prevete <[email protected]> Co-authored-by: 狂飙 <[email protected]> Co-authored-by: Łukasz Kurzyniec <[email protected]> Co-authored-by: Simon Siefke <[email protected]> Co-authored-by: FritzsHero <[email protected]> Co-authored-by: Leonardo Romor <[email protected]> Co-authored-by: Henri Menke <[email protected]> Co-authored-by: Hugo Locurcio <[email protected]> Co-authored-by: Hideaki KAWAI <[email protected]> Co-authored-by: Douglas Larson <[email protected]> Co-authored-by: Brad Solomon <[email protected]> Co-authored-by: Daniel Heim <[email protected]> Co-authored-by: shahroq <[email protected]> Co-authored-by: Santiago Basulto <[email protected]> Co-authored-by: Michaël Vanbrabandt <[email protected]> Co-authored-by: Gruber <[email protected]> Co-authored-by: Chris Kipp <[email protected]> Co-authored-by: Igor Strebezhev <[email protected]> Co-authored-by: Xuan (Sean) Hu <[email protected]> Co-authored-by: Juan Julián Merelo Guervós <[email protected]> Co-authored-by: bakkiung <[email protected]> Co-authored-by: Jeffrey Priebe <[email protected]> Co-authored-by: Bart Verhagen <[email protected]> Co-authored-by: bitbonk <[email protected]> Co-authored-by: mr <[email protected]> Co-authored-by: Marouane Hassine <[email protected]> Co-authored-by: Rohan Sakhale <[email protected]> Co-authored-by: A. Said Aslan <[email protected]> Co-authored-by: MetaJuanito Fatas <[email protected]> Co-authored-by: Elijah Shaw-Rutschman <[email protected]> Co-authored-by: Sam Gleske <[email protected]> Co-authored-by: JasperCiti <[email protected]> Co-authored-by: ChiefORZ <[email protected]> Co-authored-by: Patrick Roche <[email protected]> Co-authored-by: Christoph Niethammer <[email protected]> Co-authored-by: Jeffrey Walton <[email protected]> Co-authored-by: jymok12 <[email protected]> Co-authored-by: Miklós Márton <[email protected]> Co-authored-by: Arcadiy Ivanov <[email protected]> Co-authored-by: Meysam <[email protected]> Co-authored-by: Patrick Schratz <[email protected]> Co-authored-by: ofthelit <[email protected]> Co-authored-by: Brendan Forster <[email protected]> Co-authored-by: Loo Zheng Yuan <[email protected]> Co-authored-by: Igor Stepanov <[email protected]> Co-authored-by: Jason Gross <[email protected]> Co-authored-by: Pradyun Gedam <[email protected]> Co-authored-by: Mitchell Skaggs <[email protected]> Co-authored-by: Daniel Chalmers <[email protected]> Co-authored-by: Ted Kesgar <[email protected]> Co-authored-by: Sascha Peilicke <[email protected]> Co-authored-by: Jon Layton <[email protected]> Co-authored-by: Benjamin Buch <[email protected]> Co-authored-by: Hiroto Kobayashi <[email protected]> Co-authored-by: John Stilley <[email protected]> Co-authored-by: Justin Gregory <[email protected]> Co-authored-by: ZhengYuan Loo <[email protected]> Co-authored-by: Michael Chirico <[email protected]> Co-authored-by: Maher Zaidoune <[email protected]> Co-authored-by: Kevin Cochran <[email protected]> Co-authored-by: Kevin Cochran <[email protected]> Co-authored-by: Michael Alexsander <[email protected]> Co-authored-by: Diego Herranz <[email protected]>
harithmanoj
pushed a commit
to harithmanoj/gitignore
that referenced
this pull request
Nov 3, 2020
Co-authored-by: Kevin Cochran <[email protected]>
|
I'm relatively new to this whole space, but I'm using Azure CAF supermodule and you configure it with tfvars, so near enough every file in my repo is a tfvars file. Is this a common pattern in terraform usage? If not, then no problem, but I found it weird when tfvars were gitignored using this gitignore file 🤷🏻 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reasons for making this change:
Contrary to the current .gitignore explanation about .tfvars files, these are data points abtracted away from the Terraform variables due to the potentially sensitive nature of the values. For example, AWS, Azure, and GCP credentials are oftentimes assigned in the .tfvars files. I personally have had my credentials exposed several times due to the oversight of not excluding the .tfvars files in this particular .gitignore file.
The values in .tfvars files are, by nature, personal to the individual running the script. Data points such as these should not be included by default. If values are to be checked into version control, the variable definition includes a default attribute.
Links to documentation supporting these rule changes:
https://learn.hashicorp.com/terraform/getting-started/variables.html#from-a-file
https://www.linode.com/docs/applications/configuration-management/terraform/secrets-management-with-terraform/#keeping-secrets-out-of-tf-files
https://secrethub.io/blog/secret-management-for-terraform/#secrets-in-tfvars
If this is a new template:
Not new, just a slight but important change