Skip to content

Terraform: Manage Secret

One of the most common questions we get about using Terraform to manage infrastructure as code (IaC) is how to handle secrets such as passwords, API keys, and other sensitive data.

For example, here’s a snippet of Terraform code that can be used to deploy MySQL using Amazon RDS:

resource "aws_db_instance" "example" {
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "example"

  # How should you manage the credentials for the master user?
  username             = "???"
  password             = "???"
}

Technique: Environment Variables

resource "aws_db_instance" "example" {
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "example"

  # Set the secrets from variables
  username             = var.username
  password             = var.password
}

References