Securing API Keys/Passwords/SSH Keys in Terraform

Terraform
1

I am looking into how to secure things like API keys within my terraform code. I am using terraform to push config and changes to palo alto Firewalls and this requires an API key. So the example is this:

# Configure the panos provider
provider "panos" {
    hostname = "127.0.0.1"
    json_config_file = "../panos-creds.json"
}

Then the solution to filling the creds is this:

{
    "hostname": "127.0.0.1",
    "api_key": "secret",
    "timeout": 10,
    "logging": ["action", "op", "uid"],
    "verify_certificate": false
}

So to me this seems like they are calling the json file to fill the credentials for api access to the palo alto. The issue is how do we secure the json file that lies in the terraform folder structure? How can I use something like AWS KMS for this? Is that an option?

2

The simplest way to address this is to use environment variables, which the provider will read in natively rather than configuring them in the provider block itself. You can find examples here:
https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs#username

3

Which this works for not loading creds to versioning platform like GitHub, but then the creds are still local to the box pushing the code. Beside Hashicorp vault how can we store these somewhere with encryption? Thats why I was asking about aws kms.