Terraform integration to manage project's API keys
Hello team,
we're still missing the capability to create project's API keys via terraform and have to deal with some python scripts to automatically provision new keys in dynamic way(when new projects come up).
I know this question has been already asked and your idea is to use Vault, but probably it's not good idea to install this heavy tool for the single application...and we can't use Vault in dynamic way because it doesn't contain 'MongodbAtlas Secret Engine' available via terraform provider.
Please consider to add possibility of creation API keys via terraform and let us decide whether it's security risk to keep it in the state file
Никита
shared this idea
-
AdminZuhair
(Admin, MongoDB)
commented
Thanks M for feedback, have you considered instead leveraging our integration with HashiCorp Vault to more securely store API Keys? https://www.mongodb.com/atlas/hashicorp-vault
-
M
commented
This is a great feature, but the fact that it keeps the creds plaintext in the statefile make it unusable for me.
It would be good to have a switch in this resource where we can choose to have terraform record the private key or just record the public key and key-id.
Even if I had a datasource to just find and return a key-id that was manually created that would be helpful
-
AdminZuhair
(Admin, MongoDB)
commented
Hello All, the Terraform MongoDB Atlas Provider v1.8.0 release is now in GA! Key new features include Programmatic API Keys (PAK) support as requested. In addition, we made several key bug fixes, doc updates, and depreciations, see CHANGELOG for full details as well potential security concerns while using this feature. Feel free to test out and let us know how you like it! Thanks again for sharing valued feedback.
-
AdminZuhair
(Admin, MongoDB)
commented
Hi Julien, this item is Planned and on our roadmap. We should have an update for you over next few months. Thank you.
-
Julien
commented
Hi
any news on this feature request ? -
Diogo
commented
Hello, this is a feature we also need at my company.
We have a "vending machine"-like way to provide projects and API Keys for customers to use, and we want to use only Terraform and then our own secret manager (like GCP Secret Manager) and provide the specific IAM roles -
AdminZuhair
(Admin, MongoDB)
commented
Thank you all for the feedback. This is now planned and on our roadmap. However, wanted to highlight that we have two secret engines for Vault, one to generate API keys and one to generate DB users. This securely stores and transmits those keys and is the recommended approach to secrets management. Creating additional API keys in the future via the Terraform provider means potential mission critical secrets to your organization will be available in the .tfstate file (this is stored as human readable visible text), so this use case should be limited/rare/well documented. See additional details here and happy to chat more as needed on this one.
-
Sébastien Féré
commented
Hello dear Mongo team!
More or less the same comment as the other guys in the community.
Hashicorp Vault becomes a de facto standard in the industry.
However, people may need to use API keys in the context of Cloud providers. Those platforms offer secret mgmt managed services such as the GCP Secret Manager.
Could you please consider to expose the API Key endpoint as part of the already great Terraform module?
Is it something you have in your roadmap?Cheers!
-
Julien
commented
Hi,
I agree on the need for this feature.
First, don't get me wrong, I am an happy customer using MongoDB Atlas on Cloud and I find this terraform provider really well engineered and useful.
I understand that using Hashicorp Vault may be a good practice to manage API Keys.
But in the terraform provider, MongoDB deliberately chooses to obfuscate a feature that is available in the public API (groups api keys) and enforces customers to use an external tool as Hashicorp Vault.
Vault is not used by every team on the planet and deploying it for managing MongoDB Project API Keys can have much more implications (other Vault solutions, ...).
I am not sure to get where MongoDB is trying to drive its customers by gently enforcing them to use Hashicorp Vault.
I am convinced that it should be a deliberate choice by customers to use or not a Vault for managing API Keys. Without this feature we have to manually create API Keys or automate their creation through another tool than terraform or using a 3rd party terraform provider :-/
references :
https://github.com/mongodb/terraform-provider-mongodbatlas/issues/433