# blindfold_file function - terraform-provider-f5xc

# function: blindfold_file

Reads a file and encrypts its contents using F5 Distributed Cloud Secret Management (blindfold).

Returns a sealed secret string suitable for use in `blindfold_secret_info.location` fields.

This is a convenience function equivalent to:
```hcl
provider::f5xc::blindfold(base64encode(file(path)), policy_name, namespace)
```

**Security**: The encryption happens locally using the public key fetched from F5XC.
The file contents are **never** transmitted to F5XC during encryption.

## Example

```hcl
resource "f5xc_http_loadbalancer" "example" {
  name = "secure-lb"

  tls_parameters {
    private_key {
      blindfold_secret_info {
        location = provider::f5xc::blindfold_file(
          "${path.module}/certs/private.key",
          "example-secret-policy",
          "shared"
        )
      }
    }
  }
}
```

~> **Note:** This function requires Terraform 1.8 or later.

## Signature

<!-- signature generated by tfplugindocs -->
```text
blindfold_file(path string, policy_name string, namespace string) string
```

## Arguments

<!-- arguments generated by tfplugindocs -->
1. `path` (String) Path to the file to encrypt. Can be absolute or relative to the Terraform working directory.

Use `${path.module}` for paths relative to the current module.
1. `policy_name` (String) Name of the SecretPolicy that controls which clients can decrypt this secret.

The policy must exist in the specified namespace before encryption.
1. `namespace` (String) F5XC namespace containing the SecretPolicy.

Common values: `shared`, `system`, or your application namespace.

## Example Usage

```terraform
# Encrypt a file using F5XC blindfold
#
# The blindfold_file function reads a file and encrypts its contents using F5
# Distributed Cloud Secret Management. This is a convenience function equivalent
# to: provider::f5xc::blindfold(base64encode(file(path)), policy_name, namespace)
#
# The encryption happens locally - file contents are never transmitted to F5XC.

# Example: Encrypt a TLS private key file
resource "f5xc_http_loadbalancer" "secure" {
  name      = "secure-lb"
  namespace = "production"

  domains = ["secure.example.com"]

  https_auto_cert {
    tls_config {
      custom_security {
        private_key {
          blindfold_secret_info {
            location = provider::f5xc::blindfold_file(
              "${path.module}/certs/server.key",
              "tls-secrets-policy",
              "shared"
            )
          }
        }
        certificate {
          certificate_url = "string:///${base64encode(file("${path.module}/certs/server.crt"))}"
        }
      }
    }
  }
}

# Example: Encrypt multiple certificate files using for_each
locals {
  certificates = {
    "server" = "${path.module}/certs/server.key"
    "client" = "${path.module}/certs/client.key"
    "ca"     = "${path.module}/certs/ca.key"
  }
}

resource "f5xc_certificate" "certs" {
  for_each  = local.certificates
  name      = each.key
  namespace = "production"

  private_key {
    blindfold_secret_info {
      location = provider::f5xc::blindfold_file(
        each.value,
        "cert-secrets-policy",
        "shared"
      )
    }
  }
}
```

## See Also

- [F5XC Secret Management Documentation](https://docs.cloud.f5.com/docs/how-to/advanced-security/blindfold-your-tls-certificates)