I am currently managing more and more secrets using Vault. To handle this efficiently, I am considering using Terraform for automation and scalability. However, this raises serious security concerns.
When storing Terraform configurations in Git for version control, any secrets defined in the configuration (e.g. AWS keys or sensitive variables) are stored in plaintext within the Git repository. This seems like a significant security risk, even if the repository is private.
How do you approach this issue? Are there any best practices or tools that can help you manage secrets securely in Terraform configurations while using Git for version control?
One thing I have been thinking about is using HCP Terraform for variables.
However, I am concerned that this will also become a cost issue as the number of vault secrets increases.
I would appreciate any advice, strategies, or experiences you can share!
Thanks for confirming - your idea to maintain Vault using IaC is spot on, but I’m not sure managing the secrets this way will work. You need some secure source of truth for the secrets - I would say that is typically Vault itself.
Are you bringing up new Vault clusters up and down often such that you are constantly creating these or are you just looking to remove a manual process of creating the secret?
One option, depending on your secrets is to use a data source to read them from some provider. Using the example provided, this might look something like
data "aws_iam_account_alias" "current" {}
output "aws_account_url" {
value = "https://${data.aws_iam_account_alias.current.alias}.signin.aws.amazon.com/console"
}
This probably does not work for all your secrets, but might get your partially there.