-1

I have a requirement. I am deploying a application into AWS using terraform. A part of this contains creating of a secrets resource "aws_secretsmanager_secret", for this secret I have to add userid/password of an external system which will be static and will never change. Now while deploying this I have to declare the values for the userid/password. Since this terraform will code will also get stored in the git repository. This storing of credential in plain text form is not allowed.

How to solve this problem ?

Thanks, Abhi

I have stored the credential in variables.tf that will eventually create the secrets with the variables, but this is not allowed

Abhi
  • 13
  • 3
  • 1
    What have you tried already? Is there any code? – Marko E Nov 23 '22 at 11:25
  • 1
    You can create the secret via terraform and then manually edit the value in the web console. – luk2302 Nov 23 '22 at 11:30
  • I have added the used id and password in variables.tf and then while creating the resouce encoded the json key value pairs to set the secret values. But doing this, still exposes my password in git. so I have to find a mechanism how this can be done, One way is we create the secret manually and then rest other using terraform. The moment terraform executes it triggers a web service call to third party system and set the keys from another secret – Abhi Nov 23 '22 at 14:33

1 Answers1

0

Instead of storing your credentials in your variables.tf file, you can store them into environment variables, and have your tf code read those variables.

This way, when you commit your tf files to git, the variables will no be pushed in plain text.

Medium article explaining how to do it

Official documentation

Leo
  • 428
  • 3
  • 11
  • I am a bit new to AWS. So you mean store in in my local machine environment variables, then somehow call that in terraform to pass this value onto the secrets manager ? – Abhi Nov 23 '22 at 16:39
  • Please take a look at both links I sent you above. there is no need to hardcode credentials or any other secret information into your tf file. export TF_VAR_EXAMPLE_ONE=""..... if your code has a variable called EXAMPLE_ONE it will take the value from the environment variable. – Leo Nov 23 '22 at 16:58