Security best practices
When we worked through the Terraform and Ansible workflows, we discussed adding repository secrets to our GitHub repository. All sensitive information should be stored within secrets outside of using an external source for your secrets, such as Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault.
The advantage of this is that the secrets will remain hidden, but the code will also be able to consume them. Great, you may think to yourself.
But anyone who has been granted write access to the repo will also be able to consume them (though not view the contents), so please be careful when granting access to your IaC CI/CD pipelines as they will have a high level of access to your cloud resource via your workflows, so please ensure that you only grant access to trusted members of your teams.
