GitOps for secure secrets with Terrateam and Doppler

Secrets should follow the same process when managing infrastructure with GitOps while maintaining security. Terrateam and Doppler create a powerful combination that lets you define how secrets are used in your infrastructure without committing sensitive values to Git. Doppler stores and manages the actual secrets and makes sure they're available wherever needed. If a secret gets rotated or you roll something back, Doppler can help keep everything in sync.

Why GitOps for secrets?

GitOps treats secrets as part of your infrastructure-as-code workflow, with your codebase as the single source of truth for how secrets are used, while keeping sensitive values out of the repository. Every change is tracked, reviewed, and applied through pull requests. By using Doppler for secure secret storage and Terrateam for automation, you get the best of both worlds:

• Secrets stay out of your code repository, improving security practices.
• Changes are tracked through Git history and pull requests, improving auditability.
• Doppler propagates secrets across services and environments, improving consistency.
• Terrateam handles deployment through GitHub Actions, ensuring automation.

This approach works well for secure automation scenarios where code defines everything. With GitOps, changes are visible, reversible, and secure. Doppler ensures that rotating or rolling back secrets does not break dependent services, and developers and DevOps teams can manage secrets alongside infrastructure.

What is Terrateam?

Terrateam automates Terraform workflows using GitOps through GitHub pull requests. When you open a PR, it runs a terraform plan and posts the output for review. Once the PR is approved and merged, it runs terraform apply, making sure changes are reviewed before being applied consistently across environments.

What is Doppler?

Doppler is a SecretOps platform that provides secure storage, management, and distribution of secrets across your infrastructure. It integrates with Terraform to let you reference secrets without exposing their values in your code.

How to use Terrateam and Doppler for secure secret management

Let’s explore three common approaches to managing secrets with Doppler and Terraform in a GitOps workflow:

• Retrieving existing secrets from Doppler for use in Terraform resources
• Generating new secrets in Terraform and storing them in Doppler
• Managing Doppler projects and configurations with dummy values.

We’ll start with the basic setup and then explore each approach.

Step 1: Install Terrateam

• Sign up for Terrateam at terrateam.io.
• Install the Terrateam GitHub App for your organization, selecting the repository with your Terraform code.
• Commit .github/workflows/terrateam.yml to your default branch to enable Terraform jobs via GitHub Actions.

• Grant Terrateam permission to access your cloud provider for secure state storage. See cloud provider setup for details.
• Create a .terrateam/config.yml file to define PR handling:

This configuration enables automatic terraform apply on merge, disables cost estimation, and uses OIDC for secure AWS access. The S3 backend keeps Terraform state encrypted and centralized.

Step 2: Set up authentication with Doppler

There are two ways to authenticate with Doppler in Terraform:

Option A: Personal token (Developer plan)

• In Doppler, create a project (e.g., example-project) and config (e.g., dev).

• Generate a Doppler personal token.

• In your GitHub repository, go to Settings > Secrets and Variables > Actions.
• Click “New repository secret,” name it something memorable, and paste the token value.
• Click “Add secret” to store it securely.Click “Add secret” to store it securely.

This allows Terraform to access Doppler securely, keeping the token out of your codebase. Make sure it is injected into the Terraform runtime environment as an environment variable.

Option B: Service account token (Recommended, and available for Team/Enterprise plans)

• In Doppler, create a service account with scoped permissions for your project.
• Generate a service account token with the minimum required permissions.
• Store this token as a GitHub Actions secret, as described in Option A.

Configure your GitHub workflow to inject this token into the Terraform environment.

A service account is preferred as it isn’t tied to a specific user account, has scoped permissions following the principle of least privilege, and can be easily rotated without affecting user access.

Step 3: Define your Terraform configuration

Now, let’s explore the three typical approaches to integrating Doppler with Terraform. For each approach, create a feature branch and add a main.tf file to define your infrastructure configuration.

Approach 1: Retrieving existing secrets (from a data source)

This approach is ideal when you have pre-existing secrets in Doppler that you want to use in your infrastructure.

Approach 2: Generating and storing secrets

This approach is practical when you need to generate new credentials (like database passwords) during infrastructure provisioning.

Approach 3: Managing Doppler projects with dummy values

This approach is practical when you want to manage the structure of your Doppler projects in Terraform, but not the actual secret values.

Step 4: Open a pull request

After defining your Terraform configuration, push your branch and open a PR. Terrateam detects Terraform changes, automatically run terraform plan and posts the output to the PR as a comment.

Review the plan to confirm resources and secrets are configured correctly. Merge the PR to trigger terraform apply.

Benefits of Terrateam and Doppler

Terrateam and Doppler provide a straightforward way to manage secrets in a GitOps workflow without adding extra complexity.

By keeping secrets out of Git and using Doppler to store and update them, teams avoid accidental exposure while still benefiting from version control and automation, which enhances security.

Terrateam handles the execution of Terraform plans and applies them through pull requests, so every change is reviewed, improving visibility and consistency.

This approach is reliable, auditable, and easily integrated into existing infrastructure workflows.

Use cases

Retrieving existing secrets

Teams managing microservices can reference existing Doppler secrets in their Terraform code without exposing sensitive values. When provisioning a new service via a Terrateam PR, the plan shows which resources will be created and what secrets will be used, without revealing the actual values. For example, a new analytics service can fetch database credentials from Doppler at runtime, and if those credentials change later, no code updates are needed.

Generating infrastructure credentials

To stay with the database case, when creating database instances, teams can use Terraform to generate credentials securely, provision resources with these credentials, and automatically store connection details in Doppler.

Application developers never manually handle these secrets; they simply configure their services to fetch them from Doppler. For credential rotation, a simple Terraform apply through a Terrateam PR updates the infrastructure and Doppler simultaneously, with all dependent services automatically receiving the new values.

Managing secret structure

Organizations can also maintain a consistent secret structure while allowing different teams to manage the actual values by using Terraform with dummy values and lifecycle ignore rules, which establishes a “contract” for required secrets without dictating their values.

When it’s time to deploy a new service, developers can use this template to create a Doppler project and populate the value through the UI. This approach comes in handy when a strict separation of duties or strict compliance requirements are needed.

Conclusion

Implementing GitOps for secrets with Terrateam and Doppler provides a secure, consistent, and automated approach to managing sensitive information in your infrastructure. By keeping secrets outside Git while treating their usage as code, you benefit from GitOps without compromising security.

Whether retrieving existing secrets, generating new ones, or managing projects, start by choosing the approach that fits your use case. As your needs evolve, you can combine these approaches to create a comprehensive secret management strategy for your organization.

FAQ: GitOps secrets with Terrateam & Doppler