If I have a main.tf file that calls variables held in a variables.tf file, and then in variables.tf I wanted to import “Secret” variables how would I go about this? I want to define things like subnets in a variable file but keep my aws keys in a file that I will not store in repository.
Since you mention AWS, in my opinion the best tool is https://github.com/99designs/aws-vault. Once configured correctly, you would run terraform in this way:
$ aws-vault exec <AIM USER OR ROLE> -- terraform ...
Another vey good tool that works also for non-AWS clouds is https://github.com/cyberark/summon.
Both make secrets available as environment variables to the child process.
Yes I am looking to store creds for AWS only at this point and I write and run my terraform code from MS VS code. I am very new to terraform so somethings don’t make sense to me, nor am I programmer. Just a network engineer trying to add some skills. I am reading through the documentation and cannot understand how to actually add my access key and secret access key from AWS user to push config to AWS.
Hi @stevenjw0228001,
In most cases I would recommend against using Input Variables for things like credentials. The design intent of Terraform is that you use your configuration to describe what should exist and where it should exist. Credentials are about who is running Terraform, rather than what Terraform should manage, and so representing via constructs in the configuration is a last resort.
Since you’re talking about AWS keys I’ll use that to give a concrete example. A typical AWS provider configuration block would ideally talk only about where the objects described elsewhere in the configuration should be created, which is most often specified just as a region (which then implies a selection of physical endpoint URLs internally). It can also often be helpful to write down specifically which AWS account(s) we are intending should own the objects, although that is primarily for detecting mistakes:
provider "aws" {
region = "us-west-2"
allowed_account_ids = ["12345678"]
}
For your credentials though, it’s better where possible to use the standard mechanisms AWS-based tools use to find credentials, which includes the ~/.aws/credentials file or the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY environment variables.
Using those conventional locations has a number of benefits, including:
- You only have to set them up once and can use both Terraform and other AWS-based tools like the AWS CLI.
- You can use existing tooling for potentially dynamically generating and saving temporary credentials for AWS if desired, rather than having to use Terraform-specific automation. (This includes
aws-vaultas suggested by @marco-m, for example.) - Your configuration is focused on describing what objects Terraform should manage, and thus you can more easily apply that Terraform configuration later on a different computer and/or with different credentials later without having to edit it first.
The AWS provider and many other providers do allow passing credentials-related information in the configuration for pragmatic reasons: not all uses of Terraform follow the typical usage patterns and constraints, and so sometimes directly configuring credentials in the provider is the most practical option. For everyday Terraform usage though, I’d recommend treating that as a last resort.