(Note) Handling Secrets Correctly in Terraform Config

08 May 2020

There two things that need to be handled.

1. Encrypt the secret in the Terraform config file

Don’t have the secret as plaintext in any of the config file. Encrypt using AWS KMS. Then use awskmssecrets to decrypt at runtime.

Can also use an encrypted secret store like AWS Parameter Store or Hashicorp Vault.

2. Use an encrypted backend for state

Use Terraform Cloud (remote) as the backend.

State files store the plaintext version of secrets. So don’t use local statefiles and check-in to version control. Use a encryted backend like Terraform cloud or AWS S3 to persist state.

Disclaimer: These are notes for myself that I’m sharing. I’m not claiming this is the way or the best way.

Personal notes and thoughts on web technology, software development, and technical product management by Janaka Abeywardhana. On Github, Twitter, and Instagram

© 2020-2022, Built with Gatsby