How to Manage Secrets in Terraform

Terraform is a go-to application for cloud assets, dramatically simplifying the management of complex multi-cloud infrastructures. However, it can’t do its job properly if it doesn’t know the secret keys you use to access your cloud resources programmatically.  

Throughout this article, you'll learn everything there is to know about secret keys, including strategies for securing them in Terraform. If you are new to Terraform, beef up your knowledge by taking our HashiCorp Certified: Terraform Associate online training.

What is a Secret?

A secret is an API key, password, Secure Socket Shell (SSH) key, or any type of token used for authentication. 

A secret is typically not considered something that provides authorization, like a JSON web token (JWT). Tokens used for authorization are routinely rotated and used for different purposes. Secrets, keys, and passwords are used to prove identity for authentication. 

How Do I Manage Keys in Terraform?

You use secrets to protect your data and systems from threat actors, so how can you ensure they’re secure in Terraform? There are many options to do this, but we will concentrate on the two options that are both secure and relatively simple to manage.

Store Secrets in Environment Variables

Terraform supports environment variables in its configurations. An environment variable is stored at the host computer level. It’s locked down and secured by the user profile of the system itself. 

Environment variables are traditionally secure. Only applications that have permission to access them can, and they aren’t exposed in plain text or accessible from the outside world. Likewise, they can’t be committed to a version management application, such as Git, by accident, which is a common mistake in the software design lifecycle.

Environment variables can be called and injected into configurations as needed, keeping API keys and other secrets out of view of threat actors. 

Environment variables do have two cons. First, they can sometimes be challenging to manage and track. So, this approach does require a hands-on methodology because you need physical access to the system to update, change, or delete environment variables. 

Second, anyone with access to the low-level system can also access the environment variables. That means support techs, engineers, or savvy threat actors can grab secrets quickly. 

Use Secret Stores

A secret store is like a password management solution for your digital services. It stores passwords, API keys, and so on in a secure database that can be accessed programmatically. 

Amazon Web Services (AWS) offers a popular secret store called the Secrets Manager. If you have created an Identity and Access Management (IAM) profile in AWS, you may have used the AWS Secrets Manager without realizing it. 

HashiCorp, the maker of Terraform, also has a product for managing secrets. The advantage of using HashiCorp’s secret store is that it integrates with Terraform more gracefully than other options. Given that Terraform is meant to manage cloud resources, though, it supports many secret manager products, including AWS, Azure, and Google products. 

The upside to using a secret store is that access to your secrets is much more secure. The downside is configuring a secret store with Terraform is a bit more complicated than using environment variables. However, given the extra security, many techs consider configuring a secret store in Terraform worthwhile. 

Ready to Master Terraform?

We’ve barely scratched the surface of how to manage secrets in Terraform. You can learn so much more by taking our HashiCorp Certified: Terraform Associate course. This course will help you pass the HashiCorp Certified: Terraform Associate exam and learn everything there is to know about managing secrets in Terraform.

Learn Terraform.

Not a CBT Nuggets subscriber? Begin your 7-day free trial now.