Consul backend for vault

I would like to know what is the best practice to handle sensitive information if I store the tfstate file on Consul.

1 Like

Hello @bernardogza I would recommend you to create Consul ACL to protect access to the vault kv path, and create specific consul tokens with the specific ACL policies to the consul servers that should be the only ones that has access to the vault kv path.
Also this tokens should be rotated constantly, for security.


You can also use vault to store the sensitive data. Then reference it with the vault provider when running terraform.

Also, for what it’s worth, we don’t recommend that you store any long-lived secrets in your Terraform state file. I actually did a webinar on how to do this flow securely right here: Best Practices for Using HashiCorp Terraform with HashiCorp Vault. It includes using Consul as a storage back-end.