Handle Sensitive Variables Securely

Intermediate12 min

Manage secrets, API keys, and passwords in Terraform without exposing them in state, logs, or version control.

Prerequisites

-Terraform installed
-Understanding of Terraform variables

Steps

Mark variables as sensitive

Use the sensitive flag to prevent Terraform from displaying variable values in plan output and logs.

$ cat <<'EOF' > variables.tf variable "db_password" { type = string description = "Database password" sensitive = true } variable "api_key" { type = string description = "External API key" sensitive = true } EOF

Sensitive variables show as '(sensitive value)' in plan output, preventing accidental exposure.

Pass secrets via environment variables

Use TF_VAR_ prefixed environment variables to inject secrets without putting them in files.

$ export TF_VAR_db_password="my-secret-password" export TF_VAR_api_key="sk-abc123" terraform plan

Never put secrets in .tfvars files that are committed to version control. Use environment variables or a secrets manager.

Use a secrets manager data source

Fetch secrets at plan time from AWS Secrets Manager, Vault, or similar services.

$ cat <<'EOF' > secrets.tf data "aws_secretsmanager_secret_version" "db" { secret_id = "prod/database/password" } locals { db_password = jsondecode(data.aws_secretsmanager_secret_version.db.secret_string)["password"] } EOF

Encrypt state at rest

Ensure your remote backend encrypts state files since they may contain sensitive values.

$ cat <<'EOF' > backend.tf terraform { backend "s3" { bucket = "my-tf-state" key = "prod/terraform.tfstate" region = "us-east-1" encrypt = true } } EOF

State files can contain secrets in plaintext even when variables are marked sensitive. Always encrypt state at rest.

Add .gitignore rules for sensitive files

Prevent accidental commits of files that may contain secrets.

$ cat <<'EOF' >> .gitignore *.tfstate *.tfstate.* *.tfvars !example.tfvars .terraform/ override.tf override.tf.json EOF

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Terraform Secret Management Setup
# Configures secure variable handling

echo "==> Checking for secrets in tracked files..."
if git ls-files | xargs grep -l 'password|secret|api_key|token' 2>/dev/null | grep -v '.gitignore' | grep -v 'variables.tf'; then
  echo "WARNING: Potential secrets found in tracked files!"
  echo "Review the files listed above."
else
  echo "No obvious secrets found in tracked files."
fi

echo ""
echo "==> Checking .gitignore..."
for PATTERN in "*.tfstate" "*.tfvars" ".terraform/"; do
  if grep -q "$PATTERN" .gitignore 2>/dev/null; then
    echo "  OK: $PATTERN is in .gitignore"
  else
    echo "  MISSING: $PATTERN not in .gitignore"
    echo "$PATTERN" >> .gitignore
    echo "    -> Added to .gitignore"
  fi
done

echo ""
echo "==> Checking for sensitive variables without the sensitive flag..."
grep -rn 'variable.*password|variable.*secret|variable.*key|variable.*token' *.tf 2>/dev/null | while read -r LINE; do
  echo "  Review: $LINE"
done

echo ""
echo "==> Secret management checklist:"
echo "  [ ] All secrets use 'sensitive = true' in variable blocks"
echo "  [ ] Secrets passed via TF_VAR_ env vars or secrets manager"
echo "  [ ] State backend has encrypt = true"
echo "  [ ] .gitignore covers .tfstate and .tfvars files"
echo "  [ ] No secrets hardcoded in .tf files"

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Terraform Secret Management Setup # Configures secure variable handling echo "==> Checking for secrets in tracked files..." if git ls-files | xargs grep -l 'password|secret|api_key|token' 2>/dev/null | grep -v '.gitignore' | grep -v 'variables.tf'; then echo "WARNING: Potential secrets found in tracked files!" echo "Review the files listed above." else echo "No obvious secrets found in tracked files." fi echo "" echo "==> Checking .gitignore..." for PATTERN in "*.tfstate" "*.tfvars" ".terraform/"; do if grep -q "$PATTERN" .gitignore 2>/dev/null; then echo " OK: $PATTERN is in .gitignore" else echo " MISSING: $PATTERN not in .gitignore" echo "$PATTERN" >> .gitignore echo " -> Added to .gitignore" fi done echo "" echo "==> Checking for sensitive variables without the sensitive flag..." grep -rn 'variable.*password|variable.*secret|variable.*key|variable.*token' *.tf 2>/dev/null | while read -r LINE; do echo " Review: $LINE" done echo "" echo "==> Secret management checklist:" echo " [ ] All secrets use 'sensitive = true' in variable blocks" echo " [ ] Secrets passed via TF_VAR_ env vars or secrets manager" echo " [ ] State backend has encrypt = true" echo " [ ] .gitignore covers .tfstate and .tfvars files" echo " [ ] No secrets hardcoded in .tf files"