How to manage secrets in Terraform?

· Category: DevOps & CI/CD

Short answer

Manage secrets in Terraform using HashiCorp Vault, environment variables, or secret stores. Mark outputs as sensitive to prevent them from appearing in logs.

Steps

  1. Use Vault provider or external data sources.
  2. Pass secrets via environment variables.
  3. Mark outputs as sensitive = true.

Example

variable "db_password" {
  sensitive = true
}

output "password" {
  value     = var.db_password
  sensitive = true
}

Tips

  • Never commit secrets to version control.
  • Use remote state encryption.
  • Rotate secrets regularly.

Common issues

  • Secrets in state files are not encrypted by default.
  • sensitive only hides output; values may still be in logs.
  • Vault integration adds complexity.