Secrets Management in Terraform

2 min read Infrastructure & DevOps Security

Secrets Management in Terraform

Effective secrets management is crucial for Terraform security, as infrastructure code often requires sensitive information like passwords, API keys, and certificates. Hardcoding secrets in Terraform files creates severe security risks, yet infrastructure provisioning requires access to these secrets. Modern secrets management approaches balance security with operational requirements.

Environment variables provide a basic improvement over hardcoded secrets but still pose risks. Secrets in environment variables can leak through logs, process listings, or error messages. They also complicate secret rotation and audit trails. While better than hardcoding, environment variables should be considered a stepping stone to more robust secrets management.

HashiCorp Vault integration offers enterprise-grade secrets management for Terraform. The Vault provider enables Terraform to retrieve secrets dynamically during execution, eliminating the need to store secrets in configuration files or environment variables. Vault's audit logging, access controls, and automatic secret rotation provide comprehensive security for sensitive data.

# Secure secrets management with Vault provider
provider "vault" {
  address = "https://vault.example.com:8200"
}

data "vault_generic_secret" "database_creds" {
  path = "secret/database/prod"
}

resource "aws_db_instance" "secure_database" {
  allocated_storage = 20
  engine           = "mysql"
  instance_class   = "db.t3.micro"
  name             = "mydatabase"
  username         = data.vault_generic_secret.database_creds.data["username"]
  password         = data.vault_generic_secret.database_creds.data["password"]
  
  # Additional security configurations
  storage_encrypted   = true
  deletion_protection = true
  publicly_accessible = false
}