Provide a way to pass secret variables through extra_vars

[rflume-zt]

Hi,

it would be awesome to have the possibility to pass secret variables to the provisioner, that are unknown prior to terraform apply and can thus not be stored in the vault.

In my case I want to create an AWS access key with terraform and pass the key values to the ansible provisioner to use it on the new remote host for the AWS CLI.
Passing it as extra_var will show the secret values in my CI pipeline though.

[radekg]

Hi @rflume-zt, I'm not sure how this can be addressed cleanly. One would probably need to construct a vars file prior to ansible execution and make sure that file resides in a playbook which would be uploaded by the provisioner. Anything else will always show up in an ansible command.

Alternative would be to $(cat extra_vars_file) instead of using extra_vars map. Interesting. A similar approach could be used to handle SSH passwords.