Whilst Vault can be use to serve secrets to Terraform for IaC, I understand that the Terraform state file still hold secrets as text. In a Cloud environment e.g. AWS, there is a recommendation to hold the state file encrypted at rest on S3 storage. However, I haven’t been able to find guidance on how to manage the state file securely when running Vault and Terraform in an entirely on premise environment i.e. no Cloud filesystem available… other than maybe store secrets as envars. My concern would be exposing secrets using the Terraform vSphere Provider. Are there recommendations for on premise encryption at rest, access controls, short-leased accounts to mitigate risk? When I have discussed this with potential adopters, I don’t have a good story to tell…I like the product - just need assurance that it can be implemented securely?
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Managing Secrets in Git with Terraform – Best Practices? | 3 | 65 | December 3, 2024 | |
| Protecting sensitive data in the Terraform state file in an Azure environment | 0 | 39 | November 25, 2024 | |
| New Terraform Tutorials on Injecting Secrets into Terraform Configuration using Vault | 0 | 396 | September 3, 2020 | |
| Terraform multi cloud services | 1 | 343 | April 2, 2021 | |
| [Feedback wanted] Securely Configure AWS Backend Credentials (Terraform) | 0 | 273 | April 10, 2022 |