Terraform Version
$ terraform version
Terraform v1.4.4
on linux_amd64
Affected Pages
https://developer.hashicorp.com/terraform/language/settings/backends/pg
What is the docs issue?
The documentation is ambiguous for someone not familiar with psql trying to use environment variables for providing the credentials for the connection string. This is important from a security perspective to protect credentials from being stored in clear text (which is called out appropriately in the documentation, but without an appropriately unambiguous solution.)
The following configuration options or environment variables are supported:
- conn_str - (Required) Postgres connection string; a postgres:// URL
Does this mean:
export conn_str="postgres://user:pass@host/db"
Or:
export TF_VAR_conn_str="postgres://user:pass@host/db"
Obviously, neither of those will work. The first simply isn't a valid environment variable to be read by psql or terraform. The second would allow use of a terraform var, but not make the value accessible during the backend initialization.
This problem was referenced in the issue "Set PG Backend Connection String through an environment variable. #27655" but the author of the issue understandably cancelled his unmerged PR and closed the issue as they had become stale. In fact, a PR for the backend is not needed, only a clarification in the documentation for the pg backend is required.
Proposal
Explicitly mention the correct environment variables to use in place of the user:pass in the connect string.
Instead of:
terraform init -backend-config="conn_str=postgres://user:pass@db.example.com/terraform_backend"
It is recommended to use:
export PGUSER=user
read -s PGPASSWORD
export PGPASSWORD
terraform init -backend-config="conn_str=postgres://db.example.com/terraform_backend"
See Also: Postgres Docs libpq-envars
References
Terraform Version
Affected Pages
https://developer.hashicorp.com/terraform/language/settings/backends/pg
What is the docs issue?
The documentation is ambiguous for someone not familiar with psql trying to use environment variables for providing the credentials for the connection string. This is important from a security perspective to protect credentials from being stored in clear text (which is called out appropriately in the documentation, but without an appropriately unambiguous solution.)
Does this mean:
Or:
Obviously, neither of those will work. The first simply isn't a valid environment variable to be read by psql or terraform. The second would allow use of a terraform var, but not make the value accessible during the backend initialization.
This problem was referenced in the issue "Set PG Backend Connection String through an environment variable. #27655" but the author of the issue understandably cancelled his unmerged PR and closed the issue as they had become stale. In fact, a PR for the backend is not needed, only a clarification in the documentation for the pg backend is required.
Proposal
Explicitly mention the correct environment variables to use in place of the user:pass in the connect string.
Instead of:
terraform init -backend-config="conn_str=postgres://user:pass@db.example.com/terraform_backend"It is recommended to use:
See Also: Postgres Docs libpq-envars
References