AWS Secrets Manager is an excellent service for managing sensitive information like database credentials, certificates, passwords, and tokens in the cloud. While infrastructure as code (IaC) tools like Terraform can integrate with secret management services like Secrets Manager, KMS, or Parameter Store, Terraform’s native secrets management has some limitations.
This article discusses best practices for secret management in Terraform. We cover how Terraform can be configured to create and retrieve secrets using Secrets Manager and discuss the challenges of Terraform’s native secrets management approach. We also look at how good third-party tools can address Terraform’s limitations and provide an example of how such a tool can streamline secret management for multiple platforms.
Let’s take a quick look at the different secrets that can be used within Terraform and their use cases in an AWS environment.
The table below gives an overview of the best practices to follow while managing secrets in Terraform. We will explain each in detail in the following section.
Now that you’ve gotten a brief idea about the best practices, let’s take a deeper dive into each one, with examples.
Storing secrets as plain text inside code exposes the secrets to anyone having access to your version control system when you push the code. This can be dangerous if the repository is public and can be avoided by using secrets management services like AWS Secrets Manager, AWS Parameter Store, or Hashicorp Vault.
Here’s an example of storing secrets using AWS Secrets Manager in Terraform.
The Terraform data module allows Terraform to use external information in its configuration. This can be done by specifying the appropriate provider, such as an AWS Secrets Manager data source.
The following example demonstrates how you can use the AWS Secrets Manager data source to retrieve secrets into your Terraform configuration from AWS.
Secrets can be passed to Terraform as input variables, variable definition files, or environment variables.
Users can pass the secrets with the -var command line option while running Terraform commands. The following example shows how users can pass input variables during the Terraform plan state and apply the Terraform configuration to deploy resources.
Users can enter the secrets inside a .tfvars file and specify this on the command line using the -var-file argument. However, this requires users to be careful to not push the tfvars file to the version control system and maintain it themselves.
Let’s go through an example by creating a secrets.tfvars file with the following content:
Apply the configuration to deploy the changes using the following command:
Users can export secrets in the command line as TF_VAR_ followed by the variable name before running the Terraform commands. The following example shows how users can use environment variables to pass secrets to Terraform:
Since a Terraform state file contains sensitive information about your resource configurations, it is recommended to store the state files in a remote backend like S3 bucket and avoid pushing them to the version control system.
To create a new S3 backend for your Terraform project, follow these steps:
Note that it is recommended to have versioning enabled on your S3 bucket so that you can recover old state files in case.
Integration with tools like Doppler can help inject secrets from multiple providers dynamically into your Terraform code, helping keep a single source of truth for the secrets across your projects.
The following example demonstrates how users can make use of Doppler CLI to dynamically inject secrets into Terraform.
Let’s verify this by running the command from the terminal.
As you can see, Doppler dynamically injected the secrets into the Terraform configuration while keeping the secret as a sensitive value.
Terraform’s native secrets management has the following drawbacks:
Doppler can help improve Terraform by providing the following advantages:
This article provides an in-depth look at using AWS Secrets Manager with Terraform. While Terraform can be used to provision and manage secrets in Secrets Manager, Terraform’s native approach has some limitations. We described these limitations in detail and went through best practices and security recommendations that can help improve Terraform’s secret management capability.
The article also highlights how combining Terraform with tools like Doppler can make secret management more efficient and secure. Since Doppler integrates with multiple secret management services, it can be a reliable option for managing secrets across different cloud providers, empowering teams to scale their deployments efficiently while maintaining security and control over sensitive data.
Learn how to properly select and implement a secure secret management automation solution for cloud computing.
Learn how to securely store, manage, and rotate sensitive information with AWS Secrets Manager and AWS Key Management Service (KMS).
Learn how AWS Secrets Manager and Parameter Store differ in terms of access control, secret rotation, integration, and cost.
Learn how to manage and protect sensitive information in the AWS cloud using the AWS CLI Secrets Manager commands.
Learn how to best manage secrets in Terraform with examples from AWS Secrets Manager, Parameter Store, and Hashicorp Vault.