mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Zach
79735f2d45
This change passes user secrets from coderd to the Terraform process at workspace build time so the `data.coder_secret` data source in terraform-provider-coder can resolve values at plan time. Secrets traverse two proto hops: `provisionerdserver` fetches them via`ListUserSecretsWithValues`, attaches them to `AcquiredJob.WorkspaceBuild.user_secrets` on `provisionerd.proto`; `runner.go` forwards into `PlanRequest.user_secrets` on `provisioner.proto`; the Terraform provisioner encodes each as `CODER_SECRET_ENV_<name>` or `CODER_SECRET_FILE_<hex(path)>` before invoking `terraform plan`. Only plan requests carry secrets; apply runs with `nil` because values are baked into plan state. Fetch is gated on a workspace transitioning to start. stop and delete transitions never carry secrets, so revoking or deleting a stored secret cannot make a workspace unstoppable. DB errors on the fetch fail the job outright rather than silently continuing with an empty secret set. Note that user secrets will be stored in the workspace_builds table in provisioner_state with other Terraform state (including other sensitive data).
31 lines
781 B
Plaintext
31 lines
781 B
Plaintext
[
|
|
{
|
|
"id": "====[workspace build worker ID]=====",
|
|
"organization_id": "===========[first org ID]===========",
|
|
"key_id": "00000000-0000-0000-0000-000000000001",
|
|
"created_at": "====[timestamp]=====",
|
|
"last_seen_at": "====[timestamp]=====",
|
|
"name": "test-daemon",
|
|
"version": "v0.0.0-devel",
|
|
"api_version": "1.17",
|
|
"provisioners": [
|
|
"echo"
|
|
],
|
|
"tags": {
|
|
"owner": "",
|
|
"scope": "organization"
|
|
},
|
|
"key_name": "built-in",
|
|
"status": "idle",
|
|
"current_job": null,
|
|
"previous_job": {
|
|
"id": "======[workspace build job ID]======",
|
|
"status": "succeeded",
|
|
"template_name": "test-template",
|
|
"template_icon": "",
|
|
"template_display_name": ""
|
|
},
|
|
"organization_name": "Coder"
|
|
}
|
|
]
|