From e054d9b03f6aa39b1f89abd32360bde588a5c7c0 Mon Sep 17 00:00:00 2001
From: John Skiles Skinner <john.skinner@gsa.gov>
Date: Mon, 8 Apr 2024 17:11:20 -0700
Subject: [PATCH] Remove insecure output of creds, adjust README

---
 terraform/README.md         | 38 ++++++++++++++++++++-----------------
 terraform/bootstrap/main.tf |  4 ----
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/terraform/README.md b/terraform/README.md
index 52b4fc168..239865f9c 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -4,6 +4,25 @@ This directory holds the terraform modules for maintaining your complete persist
 
 Prerequisite: install the `jq` JSON processor: `brew install jq`
 
+## Retrieving existing bucket credentials
+
+Assuming [initial setup](#initial-setup) is complete, new developers start here!
+
+1. Enter the bootstrap module with `cd bootstrap`
+1. Run `./import.sh` to pull existing terraform state into the local state
+1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
+
+### Use bootstrap credentials
+
+1. Run `./run.sh show -json`.
+1. In the output, locate `access_key_id` and `secret_access_key` within `bucket_credentials`. These values are secret, so, don't share them with anyone or copy them to anywhere online.
+1. Add the following to `~/.aws/credentials`:
+    ```
+    [notify-terraform-backend]
+    aws_access_key_id = <access_key_id from bucket_credentials>
+    aws_secret_access_key = <secret_access_key from bucket_credentials>
+    ```
+
 ## Initial setup
 
 These instructions were used for deploying the project for the first time, years ago. We should not have to perform these steps again. They are provided here for reference.
@@ -22,9 +41,9 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
 
 ### Bootstrapping the state storage s3 buckets for the first time
 
-1. Run `terraform init`
+1. Within the `bootstrap` directory, run `terraform init`
 1. Run `./run.sh plan` to verify that the changes are what you expect
-1. Run `./run.sh apply` to set up the bucket and retrieve credentials
+1. Run `./run.sh apply` to set up the bucket
 1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
 1. Ensure that `import.sh` includes a line and correct IDs for any resources created
 1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
@@ -41,21 +60,6 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
 1. Make your changes
 1. Continue from step 2 of the boostrapping instructions
 
-### Retrieving existing bucket credentials
-
-1. Run `./import.sh` to pull existing terraform state into the local state
-1. Run `./run.sh show`
-1. Follow instructions under `Use bootstrap credentials`
-
-#### Use bootstrap credentials
-
-1. Add the following to `~/.aws/credentials`
-    ```
-    [notify-terraform-backend]
-    aws_access_key_id = <access_key_id from bucket_credentials>
-    aws_secret_access_key = <secret_access_key from bucket_credentials>
-    ```
-
 ## SpaceDeployers
 
 A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf
index 625cb8093..2394f4ab8 100644
--- a/terraform/bootstrap/main.tf
+++ b/terraform/bootstrap/main.tf
@@ -14,7 +14,3 @@ resource "cloudfoundry_service_key" "bucket_creds" {
   name             = "${local.s3_service_name}-access"
   service_instance = module.s3.bucket_id
 }
-
-output "bucket_credentials" {
-  value = cloudfoundry_service_key.bucket_creds.credentials
-}