Skip to content
Documentation

blindfold function - terraform-provider-f5xc

function: blindfold

Section titled “function: blindfold”

Encrypts base64-encoded plaintext using F5 Distributed Cloud Secret Management (blindfold).

Returns a sealed secret string suitable for use in blindfold_secret_info.location fields.

Security: The encryption happens locally using the public key fetched from F5XC. The plaintext secret is never transmitted to F5XC during encryption.

Example

Section titled “Example”
resource "f5xc_http_loadbalancer" "example" {
  name = "secure-lb"


  tls_parameters {
    private_key {
      blindfold_secret_info {
        location = provider::f5xc::blindfold(
          base64encode(file("${path.module}/private.key")),
          "example-secret-policy",
          "shared"
        )
      }
    }
  }
}

~> Note: This function requires Terraform 1.8 or later.

Signature

Section titled “Signature”
blindfold(plaintext string, policy_name string, namespace string) string

Arguments

Section titled “Arguments”
  1. plaintext (String) base64-encoded plaintext to encrypt. Use Terraform’s base64encode() function for raw strings or file contents.

Example: base64encode(file("private.key"))

  1. policy_name (String) Name of the SecretPolicy that controls which clients can decrypt this secret.

The policy must exist in the specified namespace before encryption.

  1. namespace (String) F5XC namespace containing the SecretPolicy.

Common values: shared, system, or your application namespace.

Example Usage

Section titled “Example Usage”
# Encrypt a secret string using F5XC blindfold
#
# The blindfold function encrypts base64-encoded plaintext using F5 Distributed
# Cloud Secret Management. The encryption happens locally - your secret is never
# transmitted to F5XC during encryption.


# Example: Encrypt a password for use in origin pool authentication
locals {
  encrypted_password = provider::f5xc::blindfold(
    base64encode("example-secret-password"),
    "production-secrets-policy",
    "shared"
  )
}


# Example: Encrypt a TLS private key from a file
locals {
  encrypted_key = provider::f5xc::blindfold(
    base64encode(file("${path.module}/certs/private.key")),
    "tls-secrets-policy",
    "shared"
  )
}


# Example: Using the encrypted secret in a resource
resource "f5xc_http_loadbalancer" "example" {
  name      = "secure-lb"
  namespace = "production"


  domains = ["example.com"]


  https_auto_cert {
    tls_config {
      custom_security {
        private_key {
          blindfold_secret_info {
            location = provider::f5xc::blindfold(
              base64encode(file("${path.module}/certs/server.key")),
              "tls-secrets-policy",
              "shared"
            )
          }
        }
      }
    }
  }
}

See Also

Section titled “See Also”