This message was deleted.
# atlantis-community
s
This message was deleted.
b
This seems more like a Terraform specific question, but I would suggest to either use a Secret Manager or make a KMS key and encrypt it locally using the KMS key, then commit and decrypt the secret in Terraform.
Treat your Terraform state as a secret too, as in Terraform secrets are never secret 😉
🤞 2
p
or parameter store can be used if you are are an aws user
g
Remote state will expose your data source lookups.
SOPS is a good way to go. If you use Terragrunt, there’s support for it built in. But there’s a way to do it via pure Terraform too. You’ll be storing secrets in code and remote state, but encrypted and unusable with something like KMS decrypting it (when used).
this 1
p
Hashicorp Vault or AWS secret manager is our choice. These are straight forward to use.
b
Thank you so much for this! I've taken these ideas to the team and we're making a decision on this 😄
b
👌 !
g
@pomcho555 check your remote state, anything you reference from Vault or AWS Secrets Manager will show inside.
(we do the same thing with AWS Secrets Manager, and depending on how much protection you want it may or may not be enough)
p
Thanks for the advice. I assume dynamic secret on Vault is also decent option.