Article Content
What Are Terraform Secrets?
Terraform secrets are pieces of sensitive information used in infrastructure management, such as API keys, passwords, and database connection strings. These secrets grant access to systems and services. Managing secrets securely is vital to ensure unauthorized users do not gain access.
Terraform enables defining, deploying, and managing infrastructure as code, but its native approach to handling secrets can expose them if not adequately protected. Since Terraform configurations are stored in text files, including secrets directly in these files is unsafe and makes them vulnerable to accidental exposure through source code repositories or logs.
As Terraform executes, it can reveal secrets in logs or state files, requiring careful handling. Understanding how to manage Terraform secrets properly is essential for maintaining secure infrastructure environments.
This is part of a series of articles about DevSecOps.
Risks of Exposing Secrets in Terraform
Exposing secrets in Terraform can have severe consequences, as these sensitive pieces of information are often the key to accessing critical infrastructure and services:
- Accidental exposure through version control: Storing secrets directly in Terraform configuration files and then committing these files to a version control system like Git poses a significant risk. If the repository is public or improperly secured, sensitive data can be leaked. Even in private repositories, improper permissions or misconfigurations can still expose secrets to unauthorized users.
- Leaks in logs and debug output: During Terraform execution, sensitive data like API keys or passwords might be inadvertently logged in plain text. This can occur when debugging is enabled or when errors are thrown that include sensitive values in their output. Log files can be overlooked but still serve as a vulnerability point if they are accessible or not purged properly.
- Exposure in state files: Terraform state files, which track the current state of infrastructure, often store sensitive information such as access credentials, database passwords, and other secrets. If these state files are stored locally or in unsecured locations without encryption or access control, they can easily be exposed to attackers. Once state files are compromised, attackers can manipulate infrastructure or gain access to sensitive systems.
- Weak environment variable management: Using environment variables to store and pass secrets can be more secure than embedding them in code, but this method still carries risks if the environment is not adequately secured. Environment variables can be accessed by any process running on the same system, and if they are not properly restricted or logged, secrets can be unintentionally revealed.
- Insufficient access control: Failing to implement proper access control for users and processes that interact with Terraform configurations and state files can lead to unintended exposure. Users or systems with excessive permissions might be able to access or modify secrets, increasing the risk of leaks or malicious exploitation.
Common Types of Secrets in Terraform
Here are some of the main types of secrets that exist in a Terraform environment.
Provider Credentials and API Keys
Provider credentials and API keys are commonly used secrets in Terraform configurations. They enable communication between Terraform and cloud providers, allowing for resource management and deployment. Storing them improperly can expose critical infrastructure to potential attacks or unauthorized modifications.
Database Connection Strings
Database connection strings contain information needed to connect to databases, including usernames and passwords. If exposed, unauthorized individuals could access and manipulate sensitive data, posing a significant security risk. Protecting these strings is crucial for data integrity and for maintaining system security in Terraform-managed environments.
SSL Certificates and Private Keys
SSL certificates and private keys are vital for securing communications between clients and servers. Unauthorized access to private keys can compromise encrypted data exchanges, leading to security vulnerabilities. Therefore, handling SSL certificates and private keys securely in Terraform is critical to maintain transactional confidentiality and trust.
Related content: Read our guide to continuous deployment
Where Are Secrets Stored in Terraform?
Terraform secrets can be stored in several locations.
Configuration Files
In Terraform, secrets can be stored in configuration files, where inclusion can risk accidental exposure, particularly if these files are committed to version control systems. With configuration files typically in plaintext, unauthorized access can easily lead to disclosure.
To protect secrets, methods such as using environment variables or encrypted files are required. By separating secrets from configuration files, risk is minimized.
State Files
Terraform state files track the current state of managed infrastructure, but they might also contain sensitive information inadvertently. If exposed or accessed unauthorized, these files can reveal infrastructure details and secrets, enabling attackers to exploit vulnerabilities.
State files should be secured, using encryption and restricting access to only trusted users or services. Storing state files in a secure remote backend further protects sensitive data from unauthorized exposure.
Environment Variables
Environment variables offer a way to pass secrets to Terraform without including them directly in configuration files. However, they come with their own risks if not properly managed, as they can be exposed in logs or inadvertently shared with unauthorized personnel.
Properly configuring permissions and access restrictions is essential to mitigate these risks when using environment variables for secrets. It’s important to limit access to environment variables to only the applications and users that require it.
Senior Developer Evangelist, Octopus Deploy
Kostis is a software engineer/technical-writer dual-class character. He lives and breathes automation, good testing practices, and stress-free deployments with GitOps.
TIPS FROM THE EXPERT
In my experience, here are tips that can help you better manage secrets in Terraform:
- Use workspace separation for environment-specific secrets: Leverage Terraform’s workspaces to isolate secrets across environments (e.g., dev, staging, production). Each workspace can have its own state file and associated secrets, preventing unnecessary exposure across environments and ensuring that secret management aligns with deployment boundaries.
- Use short-lived credentials where possible: Instead of using long-term API keys or secrets, opt for short-lived credentials like those provided by AWS STS. These credentials automatically expire, reducing the risk if a key is accidentally exposed, and limit the window of vulnerability.
- Lock state file access with granular permissions: Use Identity and Access Management (IAM) roles to lock down who can read, modify, or delete Terraform state files. Enforce least privilege principles so that only trusted services and individuals can access sensitive state information.
- Enable state file versioning and auditing: When using remote backends like AWS S3, enable object versioning and access logging. This allows you to track changes to the state files and revert if a secret is accidentally exposed. Auditing helps maintain a trail of state file accesses, ensuring accountability.
- Integrate dynamic secrets provisioning: Use secret management tools like HashiCorp Vault to generate secrets on-demand rather than storing static secrets. For example, provision database credentials dynamically for each Terraform run, reducing the attack surface and improving security.
Methods for Managing Secrets Securely
Here are some of the ways that Terraform users can ensure the secure management of their secrets.
1. Using Secure Remote Backends
Terraform state files, which store the current state of infrastructure, may contain sensitive information such as access keys or database credentials. Storing these state files locally, especially in plain text, poses a significant security risk. By using a remote backend, Terraform can securely store state files, ensuring that secrets are not exposed to unauthorized parties.
Remote backends offer key security features like encryption, access control, and versioning. For example, AWS S3 or HashiCorp Consul can be used as remote backends, providing encryption for sensitive data and enforcing strict access control measures. The state files can be versioned to track changes, and backup mechanisms ensure data recovery in case of failures.
Here’s an example of configuring a secure backend in Terraform:
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "path/to/my/key"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-lock"
}
}
This configuration stores the state file in an encrypted S3 bucket and uses a DynamoDB table for state locking, adding extra protection.
2. Encrypting Sensitive Files with KMS, PGP, or SOPS
Another method for securing Terraform secrets is encrypting sensitive files using services like AWS KMS, PGP, or SOPS. These encryption tools help secure sensitive information, such as access credentials or configuration details, stored in files. Encryption ensures that even if these files are exposed, unauthorized users cannot read their contents without the decryption key.
For example, to encrypt a secrets file using AWS KMS:
aws kms encrypt \ --key-id <alias>OR<arn> \ --plaintext fileb://secrets.yml \ --output text \ --query CiphertextBlob > secrets.yml.encrypted
In this scenario, secrets.yml contains sensitive credentials, and it is encrypted using AWS KMS. Terraform can later decrypt this file during runtime, ensuring that credentials remain secure throughout the deployment process.
3. Storing Secrets in Secret Management Tools
For improved security, it’s recommended to store sensitive information in secret management tools, such as AWS Secrets Manager or HashiCorp Vault. These tools provide a secure and centralized method for managing secrets, access keys, and other sensitive data, eliminating the need to include them in Terraform configurations directly.
Here’s an example of using AWS Secrets Manager to store and retrieve secrets in Terraform:
data "aws_secretsmanager_secret_version" "db_secrets" {
secret_id = "my-database-credentials"
}
resource "aws_db_instance" "mydb" {
username = jsondecode(data.aws_secretsmanager_secret_version.db_secrets.secret_string)["username"]
password = jsondecode(data.aws_secretsmanager_secret_version.db_secrets.secret_string)["password"]
}
In this example, the database credentials are stored securely in AWS Secrets Manager and retrieved during Terraform execution. This approach reduces the risk of secret exposure in configuration files and state files.
4. Masking Sensitive Output Values
Terraform allows marking output variables as sensitive to prevent the exposure of secret values in command-line output or state files. By default, Terraform doesn’t know which variables contain sensitive information, so it’s essential to explicitly mark them as sensitive.
Here’s an example of defining sensitive variables and masking their output:
variable "aws_access_key" {
type = string
sensitive = true
}
output "accesskey_value" {
value = var.aws_access_key
sensitive = true
}
With sensitive = true, the value of aws_access_key will not be displayed in the output or state files, protecting the secret from unintended exposure.
Related content: Read our guide to DevSecOps tools
Infrastructure as Code with Codefresh CI/CD
Codefresh is built for modern tools with support for flexible frameworks. Most infrastructure as code tools are available as docker images and can be seamlessly integrated into Codefresh pipelines – this happens to be a very common pattern for many of our customers. Learn more about how you can easily execute a custom freestyle step with any of these images here.
If you are interested in managing Codefresh resources with Terraform, we also have you covered there! The Codefresh Terraform provider can manage the creation, updates, and removal of Codefresh resources allowing you to utilize your current infrastructure as code workflows without compromises.
Ready to Get Started?
Deploy more and fail less with Codefresh and Argo