Skip to content
Documentation

blindfold_file function - terraform-provider-f5xc

function: blindfold_file

Section titled “function: blindfold_file”

Reads a file and encrypts its contents using F5 Distributed Cloud Secret Management (blindfold).

Returns a sealed secret string suitable for use in blindfold_secret_info.location fields.

This is a convenience function equivalent to:

provider::f5xc::blindfold(base64encode(file(path)), policy_name, namespace)

Security: The encryption happens locally using the public key fetched from F5XC. The file contents are never transmitted to F5XC during encryption.

Example

Section titled “Example”
resource "f5xc_http_loadbalancer" "example" {
  name = "secure-lb"


  tls_parameters {
    private_key {
      blindfold_secret_info {
        location = provider::f5xc::blindfold_file(
          "${path.module}/certs/private.key",
          "example-secret-policy",
          "shared"
        )
      }
    }
  }
}

~> Note: This function requires Terraform 1.8 or later.

Signature

Section titled “Signature”
blindfold_file(path string, policy_name string, namespace string) string

Arguments

Section titled “Arguments”
  1. path (String) Path to the file to encrypt. Can be absolute or relative to the Terraform working directory.

Use ${path.module} for paths relative to the current module.

  1. policy_name (String) Name of the SecretPolicy that controls which clients can decrypt this secret.

The policy must exist in the specified namespace before encryption.

  1. namespace (String) F5XC namespace containing the SecretPolicy.

Common values: shared, system, or your application namespace.

Example Usage

Section titled “Example Usage”
# Encrypt a file using F5XC blindfold
#
# The blindfold_file function reads a file and encrypts its contents using F5
# Distributed Cloud Secret Management. This is a convenience function equivalent
# to: provider::f5xc::blindfold(base64encode(file(path)), policy_name, namespace)
#
# The encryption happens locally - file contents are never transmitted to F5XC.


# Example: Encrypt a TLS private key file
resource "f5xc_http_loadbalancer" "secure" {
  name      = "secure-lb"
  namespace = "production"


  domains = ["secure.example.com"]


  https_auto_cert {
    tls_config {
      custom_security {
        private_key {
          blindfold_secret_info {
            location = provider::f5xc::blindfold_file(
              "${path.module}/certs/server.key",
              "tls-secrets-policy",
              "shared"
            )
          }
        }
        certificate {
          certificate_url = "string:///${base64encode(file("${path.module}/certs/server.crt"))}"
        }
      }
    }
  }
}


# Example: Encrypt multiple certificate files using for_each
locals {
  certificates = {
    "server" = "${path.module}/certs/server.key"
    "client" = "${path.module}/certs/client.key"
    "ca"     = "${path.module}/certs/ca.key"
  }
}


resource "f5xc_certificate" "certs" {
  for_each  = local.certificates
  name      = each.key
  namespace = "production"


  private_key {
    blindfold_secret_info {
      location = provider::f5xc::blindfold_file(
        each.value,
        "cert-secrets-policy",
        "shared"
      )
    }
  }
}

See Also

Section titled “See Also”