AWS Secrets Manager: Tutorial & best practices
AWS Secrets Manager vs KMS: Differences & synergies
AWS Secrets Manager vs. Parameter Store: Features, cost & more
AWS CLI Secrets Manager: In-depth tutorial with examples
AWS Secrets Manager with Terraform: Tutorial & examples
AWS KMS key rotation: Tutorial & best practices
AWS Secrets Manager for Kubernetes: Tutorial & best practices
AWS Secrets Manager alternatives: A comprehensive analysis
AWS Lambda Secrets Manager best practices
AWS Vault: Tutorial, best practices & limitations
AWS CDK Secrets Manager tutorial & best practices
SSM Parameter Store: Tutorial & best practices
AWS Secrets Manager is an excellent service for managing sensitive information like database credentials, certificates, passwords, and tokens in the cloud. While infrastructure as code (IaC) tools like Terraform can integrate with secret management services like Secrets Manager, KMS, or Parameter Store, Terraform’s native secrets management has some limitations.
This article discusses best practices for secret management in Terraform. We cover how Terraform can be configured to create and retrieve secrets using Secrets Manager and discuss the challenges of Terraform’s native secrets management approach. We also look at how good third-party tools can address Terraform’s limitations and provide an example of how such a tool can streamline secret management for multiple platforms.
Let’s take a quick look at the different secrets that can be used within Terraform and their use cases in an AWS environment.
The table below gives an overview of the best practices to follow while managing secrets in Terraform. We will explain each in detail in the following section.
Now that you’ve gotten a brief idea about the best practices, let’s take a deeper dive into each one, with examples.
Learn how WhatNot stopped secrets sprawl using Doppler
Storing secrets as plain text inside code exposes the secrets to anyone having access to your version control system when you push the code. This can be dangerous if the repository is public and can be avoided by using secrets management services like AWS Secrets Manager, AWS Parameter Store, or Hashicorp Vault.
Here’s an example of storing secrets using AWS Secrets Manager in Terraform.
1. Create a main.tf file and add the following code to create your secret.
2. Create a variables.tf file as follows:
3. Now, use terraform plan and pass the secret as a variable to review your changes:
4. Finally, perform terraform apply to deploy the configuration.
The Terraform data module allows Terraform to use external information in its configuration. This can be done by specifying the appropriate provider, such as an AWS Secrets Manager data source.
The following example demonstrates how you can use the AWS Secrets Manager data source to retrieve secrets into your Terraform configuration from AWS.
1. Create a main.tf file and add the following code specifying the Secrets Manager data module:
2. If you have stored secrets as JSON, you can use the following method instead, which utilizes jsondecode:
Secrets can be passed to Terraform as input variables, variable definition files, or environment variables.
Users can pass the secrets with the -var command line option while running Terraform commands. The following example shows how users can pass input variables during the Terraform plan state and apply the Terraform configuration to deploy resources.
Users can enter the secrets inside a .tfvars file and specify this on the command line using the -var-file argument. However, this requires users to be careful to not push the tfvars file to the version control system and maintain it themselves.
Let’s go through an example by creating a secrets.tfvars file with the following content:
Apply the configuration to deploy the changes using the following command:
Users can export secrets in the command line as TF_VAR_ followed by the variable name before running the Terraform commands. The following example shows how users can use environment variables to pass secrets to Terraform:
Since a Terraform state file contains sensitive information about your resource configurations, it is recommended to store the state files in a remote backend like S3 bucket and avoid pushing them to the version control system.
To create a new S3 backend for your Terraform project, follow these steps:
1. Add the following code inside your main.tf file after specifying your bucket name:
2. Next, perform terraform init to initialize your remote backend:
Note that it is recommended to have versioning enabled on your S3 bucket so that you can recover old state files in case.
Integration with tools like Doppler can help inject secrets from multiple providers dynamically into your Terraform code, helping keep a single source of truth for the secrets across your projects.
The following example demonstrates how users can make use of Doppler CLI to dynamically inject secrets into Terraform.
1. First, make sure you have Doppler CLI installed on your system and configure it by doing doppler login and doppler setup to grant Doppler API access to the required secrets.
2. Next, integrate Doppler with AWS Secrets Manager. Doppler supports integration with multiple services; check out this article to learn how to integrate Doppler with AWS Secrets Manager.
3. Once you’ve finished the integration, create your secret from the Doppler dashboard. You could choose to generate a random secret value as follows for added security:
4. Finally, run the following command to inject the secret inside your Terraform configuration:
Let’s verify this by running the command from the terminal.
As you can see, Doppler dynamically injected the secrets into the Terraform configuration while keeping the secret as a sensitive value.
Terraform’s native secrets management has the following drawbacks:
Doppler can help improve Terraform by providing the following advantages:
This article provides an in-depth look at using AWS Secrets Manager with Terraform. While Terraform can be used to provision and manage secrets in Secrets Manager, Terraform’s native approach has some limitations. We described these limitations in detail and went through best practices and security recommendations that can help improve Terraform’s secret management capability.
The article also highlights how combining Terraform with tools like Doppler can make secret management more efficient and secure. Since Doppler integrates with multiple secret management services, it can be a reliable option for managing secrets across different cloud providers, empowering teams to scale their deployments efficiently while maintaining security and control over sensitive data.
If you’re interested in learning more about Doppler, check out the free team trial for 14 days without a credit card or request a demo to try Doppler for the enterprise.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.