We are managing an elastic beanstalk application via terraform, and are unsure of the best way to handle sensitive environment variables for our application.
Currently, we are storing these sensitive values in an AWS Secrets Manager secret. During the terraform apply step, we use an aws_secrets_manager_secret data source to load the secret. We then iterate over the key/value pairs in the secret, and create setting blocks within our aws_elastic_beanstalk_environment resource.
There are a couple of concerns we have with this approach:
- We have to mark our sensitive values as
nonsensitive, because terraform does not allow the use of sensitive values as arguments to for_each. This means that the plaintext values are logged as part of ourterraform planandterraform applysteps. This is an issue in our CD pipeline, but our workaround for this is to redirect all logs to/dev/null. - Our sensitive values appear in plaintext in our
tfstatefile. We keep this file in an S3 bucket, whose access is restricted to administrators and the deployment user. This is probably not a huge issue. The values are accessible via the Secrets Manager console anyway, and access is restricted in a similar way.
Is there a better solution that others are using to manage environment variables for an elastic beanstalk app managed via terraform?
