Technology Encyclopedia Home >How to handle sensitive information in Terraform?

How to handle sensitive information in Terraform?

Created on 2025-03-27 14:22:37
89

Handling sensitive information in Terraform is crucial to ensure the security of your infrastructure as code. Sensitive data includes passwords, API keys, and other confidential information that should not be exposed in your codebase or logs.

To manage sensitive information in Terraform, you can use the following methods:

  1. Variables with Sensitive Attribute: Terraform allows you to mark variables as sensitive. This means that Terraform will not display their values in the output or logs.

    variable "password" {
  type        = string
  sensitive   = true
}

    Example usage:

    resource "aws_instance" "example" {
  ami           = "ami-12345678"
  instance_type = "t2.micro"
  user_data     = "echo ${var.password} > /tmp/password.txt"
}

  2. Environment Variables: You can pass sensitive information via environment variables. Terraform can access these variables using the var syntax with the env function.

    export TF_VAR_password="mysecretpassword"

    In your Terraform code:

    resource "aws_instance" "example" {
  ami           = "ami-12345678"
  instance_type = "t2.micro"
  user_data     = "echo ${var.password} > /tmp/password.txt"
}

  3. Terraform Cloud: Terraform Cloud provides a secure way to store secrets and credentials. You can use Terraform Cloud's workspace variables to manage sensitive data.

    • Create a workspace in Terraform Cloud.
    • Add sensitive variables to the workspace settings.
    • Use these variables in your Terraform code as regular variables.

  4. Vault by HashiCorp: HashiCorp Vault is a tool for managing secrets and protecting sensitive data. You can integrate Vault with Terraform to securely retrieve secrets during the provisioning process.

    Example:

    data "vaultgenericsecret" "example" {
  path = "secret/data/myapp"
}

resource "aws_instance" "example" {
  ami           = "ami-12345678"
  instance_type = "t2.micro"
  user_data     = "echo ${data.vaultgenericsecret.example.data["password"]} > /tmp/password.txt"
}

For cloud services, Tencent Cloud offers Tencent Cloud Secrets Manager, which can be used to securely store and manage sensitive information. You can integrate Tencent Cloud Secrets Manager with Terraform to retrieve secrets during the provisioning process.

By using these methods, you can effectively manage and secure sensitive information in your Terraform configurations.