Managing Secrets in Git with Terraform – Best Practices?

Hi everyone,

I am currently managing more and more secrets using Vault. To handle this efficiently, I am considering using Terraform for automation and scalability. However, this raises serious security concerns.

When storing Terraform configurations in Git for version control, any secrets defined in the configuration (e.g. AWS keys or sensitive variables) are stored in plaintext within the Git repository. This seems like a significant security risk, even if the repository is private.

How do you approach this issue? Are there any best practices or tools that can help you manage secrets securely in Terraform configurations while using Git for version control?

One thing I have been thinking about is using HCP Terraform for variables.

However, I am concerned that this will also become a cost issue as the number of vault secrets increases.

I would appreciate any advice, strategies, or experiences you can share!

Thank you in advance!

Hello,

Is the scenario that you want a terraform configuration that creates a kv secret in Vault using Terraform Registry ?

Thanks for helping me understand the scenario a bit better.

Hello jonathanfrappier

Your answer is correct.

I want to manage KV Secrets in Vault using Vault Provider in Terraform.

However, I want to prevent KV from being exposed in plaintext in the code like this:

resource "vault_kv_secret_v2" "gw_tools" {
  mount                      = vault_mount.tools.path
  name                       = "urls"
  delete_all_versions        = true
  data_json                  = jsonencode(var.tools_url["tools"])
}
variable "tools_url" {
  tools = { 
    HCP_TERRAFORM_URL = "https://app.terraform.io/app/aaa/workspaces" 
    GITLAB_URL = "https://gitlab.aaa.site/" 
    AWS_CONSOLE_URL = "https://keycloak.aaa.site/realms/aws/protocol/saml/clients/amazon-aws" }
  }
}

If you suggest a new solution, I will apply it to my environment.

Thank you.

Thanks for confirming - your idea to maintain Vault using IaC is spot on, but I’m not sure managing the secrets this way will work. You need some secure source of truth for the secrets - I would say that is typically Vault itself.

Are you bringing up new Vault clusters up and down often such that you are constantly creating these or are you just looking to remove a manual process of creating the secret?

One option, depending on your secrets is to use a data source to read them from some provider. Using the example provided, this might look something like

data "aws_iam_account_alias" "current" {}

output "aws_account_url" {
  value = "https://${data.aws_iam_account_alias.current.alias}.signin.aws.amazon.com/console"
}

This probably does not work for all your secrets, but might get your partially there.