Whilst Vault can be use to serve secrets to Terraform for IaC, I understand that the Terraform state file still hold secrets as text. In a Cloud environment e.g. AWS, there is a recommendation to hold the state file encrypted at rest on S3 storage. However, I haven’t been able to find guidance on how to manage the state file securely when running Vault and Terraform in an entirely on premise environment i.e. no Cloud filesystem available… other than maybe store secrets as envars. My concern would be exposing secrets using the Terraform vSphere Provider. Are there recommendations for on premise encryption at rest, access controls, short-leased accounts to mitigate risk? When I have discussed this with potential adopters, I don’t have a good story to tell…I like the product - just need assurance that it can be implemented securely?
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| How to encrypt terraform state file in azurerm backend | 1 | 290 | March 10, 2023 | |
| Azurerm remote backend: statefile always downloaded | 0 | 325 | February 26, 2021 | |
| Protecting sensitive data in the Terraform state file in an Azure environment | 1 | 70 | May 24, 2025 | |
| How to protect GCP root credentials whilst still setting up Vault from Terraform? | 1 | 488 | November 20, 2020 | |
| Terraform Cloud and state in Azure - possible? | 1 | 293 | October 18, 2021 |