How can I insure that my retrieval of secrets is secure?

Question

Currently I am using Terraform and Aws Secrets Manager to store and retrieve secrets, and I would like to have some insight if my implementation is secure, and if not how can I make it more secure. Let me illustrate with what I have tried.

In secrets.tf I create a secret like (this needs to be implemented with targeting):

resource "aws_secretsmanager_secret" "secrets_of_life" {
  name = "top-secret"
}

I then go to the console and manually set the secret in AWS Secrets manager.

I then retrieve the secrets in secrets.tf like:

data "aws_secretsmanager_secret_version" "secrets_of_life_version" {
  secret_id = aws_secretsmanager_secret.secrets_of_life.id
}

locals {
  creds = jsondecode(data.aws_secretsmanager_secret_version.secrets_of_life.secret_string)
}

And then I proceed to use the secret (export them as K8s secrets for example) like:

resource "kubernetes_secret" "secret_credentials" {
  metadata {
    name      = "kubernetes_secret"
    namespace = kubernetes_namespace.some_namespace.id
  }
  data = {
    top_secret = local.creds["SECRET_OF_LIFE"]
  }
  type = "kubernetes.io/generic"
}

It's worth mentioning that I store tf state remotely. Is my implementation secure? If not, how can I make it more secure?

Answer 1

yes I can confirm it is secure since you accomplished the following:

• plain text secrets out of your code.
• Your secrets are stored in a dedicated secret store that enforces encryption and strict access control.
• Everything is defined in the code itself. There are no extra manual steps or wrapper scripts required.
• Secret manager support rotating secrets, which is useful in case a secret got compromised.

The only thing I can wonder about is using a Terraform backend that supports encryption like s3, and avoid commet the state file to your source control.