https://www.runatlantis.io/ logo
Title
b

Ben

04/14/2023, 7:37 AM
Hey, what's the recommended way of storing secret variables? e.g. we have a password that we need to pass into a terraform module, what would you suggest is the best way of storing this safely?
b

Bruno Schaatsbergen

04/14/2023, 7:48 AM
This seems more like a Terraform specific question, but I would suggest to either use a Secret Manager or make a KMS key and encrypt it locally using the KMS key, then commit and decrypt the secret in Terraform.
Treat your Terraform state as a secret too, as in Terraform secrets are never secret 😉
🤞 2
p

PePe Amengual

04/14/2023, 3:25 PM
or parameter store can be used if you are are an aws user
g

Gabor Maghera

04/14/2023, 9:21 PM
Remote state will expose your data source lookups.
SOPS is a good way to go. If you use Terragrunt, there’s support for it built in. But there’s a way to do it via pure Terraform too. You’ll be storing secrets in code and remote state, but encrypted and unusable with something like KMS decrypting it (when used).
:this: 1
p

pomcho555

04/15/2023, 4:42 PM
Hashicorp Vault or AWS secret manager is our choice. These are straight forward to use.
b

Ben

04/17/2023, 10:36 AM
Thank you so much for this! I've taken these ideas to the team and we're making a decision on this 😄
b

Bruno Schaatsbergen

04/17/2023, 10:36 AM
👌 !
g

Gabor Maghera

04/18/2023, 12:21 AM
@pomcho555 check your remote state, anything you reference from Vault or AWS Secrets Manager will show inside.
(we do the same thing with AWS Secrets Manager, and depending on how much protection you want it may or may not be enough)
p

pomcho555

04/19/2023, 3:52 PM
Thanks for the advice. I assume dynamic secret on Vault is also decent option.