patternterraformMinor
Mount Azure FileShare using terraform
Viewed 0 times
mountfileshareazureusingterraform
Problem
What is a good way to mount an Azure File Storage automatically during provisioning on VMs?
There is a Microsoft doc describing how a file share can be mounted in general. This requires that Azure CLI is installed and a user is logged in.
As an alternative, I have created a working setup using terraform working on local host:
First, the existing storage account needs to be defined:
When a VM is provisioned, the share is mounted by a remote execution provisionier:
Similar it is also possible to inject the mount to
However, after applying, the key (accessed as
Is there another safe way to mount data on the VM without storing the keys?
There is a Microsoft doc describing how a file share can be mounted in general. This requires that Azure CLI is installed and a user is logged in.
As an alternative, I have created a working setup using terraform working on local host:
First, the existing storage account needs to be defined:
data "azurerm_storage_account" "storage-account" {
name = "storageaccount"
resource_group_name = "RG-storage-account"
}When a VM is provisioned, the share is mounted by a remote execution provisionier:
resource "azurerm_virtual_machine" "vm" {
# ...
# stuff
provisioner "remote-exec" {
inline = [
"sudo mkdir -p /mnt/${data.azurerm_storage_account.storage-accoun.name}/share",
"sudo mount -t cifs //${data.azurerm_storage_account.storage-account.name}.file.core.windows.net/share /mnt/${data.azurerm_storage_account.storage-account.name}/share -o vers=3.0,dir_mode=0755,file_mode=0755,serverino,username=${data.azurerm_storage_account.storage-account.name},password=${data.azurerm_storage_account.storage-account.primary_access_key}",
]
}
}Similar it is also possible to inject the mount to
/etc/fstab, also by using cloud init.However, after applying, the key (accessed as
primary_access_key) remains in the terraform state. Is this considered safe? Is there a way to delete the key from the state? Also, when using cloud-init, the key will remain in the custom data of the VM.Is there another safe way to mount data on the VM without storing the keys?
Solution
Recently I've read a good book about Terraform that I think answers your question (Terraform Up & Running 2nd edition. ISBN-13: 978-1492046905. ISBN-10: 1492046906).
Basically it says that all data in Terraform state file is stored in plain text, including sensitive data. The author says that at the moment of the writing (May 2019) there is no real solution for this, but workarounds like encryption and IAM to control user access based on policies (the book talks about AWS, so you have to find the Azure equivalent and prevent unauthorized access to the state file).
You can find more details on Chapter 3, pages 78 and 79. There is also an open issue at Github about this: https://github.com/hashicorp/terraform/issues/516.
Basically it says that all data in Terraform state file is stored in plain text, including sensitive data. The author says that at the moment of the writing (May 2019) there is no real solution for this, but workarounds like encryption and IAM to control user access based on policies (the book talks about AWS, so you have to find the Azure equivalent and prevent unauthorized access to the state file).
You can find more details on Chapter 3, pages 78 and 79. There is also an open issue at Github about this: https://github.com/hashicorp/terraform/issues/516.
Context
StackExchange DevOps Q#10741, answer score: 2
Revisions (0)
No revisions yet.