Protecting secrets in a Git repository
Terraform doesn't provide any built-in way of securing your state
file. Neither is there a way to secure only some part of it or even provide encrypted data inside your templates. And it's a shame because sooner or later you will have to use some kind of secrets with your templates: passwords, API keys, and others. If you plan to store your state
file in the git
repository, it's important to protect it. The easiest solution is to encrypt the whole state
file, store the encrypted version in the repository, and distribute the key for decryption with your team members.
You could make this task easier with the help of a tool named terrahelp
. Terrahelp is a small CLI written in Go that simplifies the encryption and decryption of your Terraform state files (and not only the state
files). It has a nice integration with Vault, yet another HashiCorp tool, this time in order to manage secrets. Don't worry, we won't use Vault, it's rather a complex tool that deserves...