Hey what s the recommended way of storing secret variables e

Question

Hey what s the recommended way of storing secret variables e g we have a password that we need to pass into a terraform module what would you suggest is the best way of storing this safely

Bruno Schaatsbergen · Answer

This seems more like a Terraform specific question but I would suggest to either use a Secret Manager or make a KMS key and encrypt it locally using the KMS key then commit and decrypt the secret in Terraform

Bruno Schaatsbergen · Answer

Treat your Terraform state as a secret too as in Terraform secrets are never secret wink

PePe Amengual · Answer

or parameter store can be used if you are are an aws user

Gabor Maghera · Answer

Remote state will expose your data source lookups

Gabor Maghera · Answer

SOPS is a good way to go If you use Terragrunt there s support for it built in But there s a way to do it via pure Terraform too You ll be storing secrets in code and remote state but encrypted and unusable with something like KMS decrypting it when used

pomcho555 · Answer

Hashicorp Vault or AWS secret manager is our choice These are straight forward to use

Ben · Answer

Thank you so much for this I ve taken these ideas to the team and we re making a decision on this smile

Bruno Schaatsbergen · Answer

ok hand

Gabor Maghera · Answer

< pomcho555> check your remote state anything you reference from Vault or AWS Secrets Manager will show inside

Gabor Maghera · Answer

we do the same thing with AWS Secrets Manager and depending on how much protection you want it may or may not be enough

pomcho555 · Answer

Thanks for the advice I assume <https developer hashicorp com vault tutorials getting started getting started dynamic secrets|dynamic secret> on Vault is also decent option