Search code examples
amazon-web-servicesterraformcredentialsterraform-provider-awsaws-secrets-manager

How to avoid including credential information in Terraform script when creating a secret manager resource?

I'd like to create a secret in Terraform to store FTP credentials, I did some reading including the Terraform doc for resource secretsmanager_secret and secretsmanager_secret_version.

I have some idea now, my understanding is that with the code below I can create an empty secret:

resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

Then I can use the code below to specify my credentials to tell Terraform what key and value needs to be store in this secret:

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = "example-string-to-protect"
}

I'm confused now, in this way, the credentials will be exposed in the Terraform script, so what's the point of doing this? I wonder what the best practice is, maybe just create an empty secret in Terraform, then add credentials manually in AWS console? Might someone be able to help please? Thanks.

Solution

  • Since you are hard-coding the "example-string-to-protect", the secret will be in plain text in your source code. This is bad practice.

    I wonder what the best practice is, maybe just create an empty secret in Terraform, then add credentials manually in AWS console?

    Yes, this is commonly done. But even if you do this, and try to use the data source aws_secretsmanager_secret_version to get the secret and use it in, e.g. to set password to your database, the secret will end up in pain text in a state file.

    This is a long and yet unresolved issue on github Storing sensitive values in state files.

    So if you want to do it manually and then use data source to get the secret, you have to protect your state file, often done by using a remote backend (e.g. S3) with strict access controls. The other way is again not to access the secrete value in TF. Instead, you can use local-exec to use AWS CLI or SDK to get the secret, and use it when you need it. Or do it "manually" (using AWS CLI or SDK) totally outside of TF.

    Update

    Regarding Hashicorp Vault:

    Terraform can be used by the Vault administrators to configure Vault and populate it with secrets. In this case, the state and any plans associated with the configuration must be stored and communicated with care, since they will contain in cleartext any values that were written into Vault.

    Currently Terraform has no mechanism to redact or protect secrets that are provided via configuration