Guides
Terraform AWS IAM - Roles, Policies, and Best Practices
How to manage AWS IAM roles, policies, and permissions with Terraform following security best practices. Step-by-step guide with code examples and best pract...
2 min read
Guides
How to Manage Secrets and Sensitive Data in Terraform
Best practices for managing secrets, passwords, and sensitive data in Terraform configurations. Step-by-step guide with code examples and best practices for ...
LLuca Berton1 min read
The Problem With Secrets in Terraform
#Terraform state files contain sensitive data in plain text. API keys, database passwords, and certificates stored in state are readable by anyone with state access. Here's how to handle this securely.
Rule 1: Never Hardcode Secrets
## BAD - secret in code
resource "aws_db_instance" "db" {
password = "super-secret-password" # This ends up in state AND git
}
# GOOD - use a variable
resource "aws_db_instance" "db" {
password = var.db_password
}Method 1: Environment Variables
#export TF_VAR_db_password="super-secret-password"
terraform applyMethod 2: AWS Secrets Manager
#data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "prod/database/password"
}
resource "aws_db_instance" "db" {
password = data.aws_secretsmanager_secret_version.db_password.secret_string
}Method 3: HashiCorp Vault
#provider "vault" {
address = "https://vault.example.com"
}
data "vault_generic_secret" "db" {
path = "secret/data/prod/database"
}
resource "aws_db_instance" "db" {
password = data.vault_generic_secret.db.data["password"]
}Method 4: SOPS Encrypted Files
## Encrypt a tfvars file
sops --encrypt --in-place secrets.tfvars
# Decrypt and apply
sops -d secrets.tfvars | terraform apply -var-file=/dev/stdinMarking Outputs as Sensitive
#output "db_connection_string" {
value = "postgresql://${var.db_user}:${var.db_password}@${aws_db_instance.db.endpoint}"
sensitive = true
}
variable "db_password" {
type = string
sensitive = true # Prevents value from showing in plan output
}State File Security
#Even with these methods, sensitive values still exist in state. Protect state by:
- Encrypting state at rest — enable S3 SSE or use encrypted backends
- Restricting state access — IAM policies limiting who can read state
- Using Terraform Cloud — state is encrypted and access-controlled
- Never committing state to git — add
*.tfstateto.gitignore
Best Practices Summary
#- Never hardcode secrets in
.tffiles - Use a secrets manager (AWS SM, Vault, Azure Key Vault)
- Mark sensitive variables and outputs with
sensitive = true - Encrypt state at rest and restrict access
- Rotate secrets regularly
- Use short-lived credentials (OIDC, STS) where possible
Learn More
#- Terraform for Beginners Course — hands-on security labs
- Terraform By Example Book — real-world patterns
- Terraform Cheat Sheet — quick command reference
#secrets#sensitive#security#vault
Related articles
Troubleshooting
Fix Terraform Error - Output Refers to Sensitive Value
Fix the Terraform output refers to sensitive values error. Covers sensitive outputs, nonsensitive function, module outputs, and secrets management patterns.
3 min read
Guides
Terraform Cost Optimization for AWS - Reduce Your Cloud Bill
Practical Terraform patterns to reduce AWS costs: right-sizing, spot instances, scheduling, and reserved capacity. Step-by-step guide with code examples and ...
2 min read
Guides
Terraform Zero-Downtime Deployments - Blue-Green and Rolling Updates
How to achieve zero-downtime deployments with Terraform using blue-green, rolling updates, and create_before_destroy. Step-by-step guide with code examples a...
2 min read