Secret management with terraform cdk

Question

In the past I've used Pulumi which offers a secrets management solution that allows stack based secrets to be checked into git while being encrypted.

I've been looking for a similar solution with Terraform CDK and haven't found one. Does Terraform CDK offer a similar solution so that I don't have to expose my stack based secrets (like mongoPassword in the Pulumi example above)?

Piers Karsenbarg · Accepted Answer · 2023-01-08T19:10:23.960

1

Unlike Pulumi, all secrets in terraform are stored in your state in plaintext. There’s an issue that’s been open for 8 years (at the time of writing this answer): https://github.com/hashicorp/terraform/issues/516

There’s also a Gruntworks post on best practice, which specifically states that the secrets aren’t encrypted: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1 (relevant bit about the state is here: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)

edited Jan 08 '23 at 19:10

answered Jan 08 '23 at 14:40

Piers Karsenbarg

3,105
5
31
67

That's...surprising. I was hoping that my google-fu was failing. – Paymahn Moghadasian Jan 08 '23 at 15:59
1

I believe the “official” TF way is to use vault but that you’ll have to manage yourself. I’ve just added a link to a Gruntworks post I found which states this as well – Piers Karsenbarg Jan 08 '23 at 19:10

Secret management with terraform cdk

1 Answers1