Reputation: 237
Terraform: Adding sensitive data to Azure KeyVault
I am adding some sensitive data (for example password to existing sql server) to my Azure keyvault using Terraform. The problem is that this data are passed to Terraform in varaiables. I am using sensitive=true but still it can be readable in terraform file. The code will be stored in private Azure Devops repo but some other people will be able to see it. What is the best practice to keep it secure?
Upvotes: 0
Views: 1295
Answers (1)
Reputation: 3147
I have tested in my environment
By default, the values like key vault secrets are considered as sensitive by Terraform.
While running terraform plan command, you can see that key vault secret value as (sensitive)
But the problem is that these data can be seen in the variables.tf file. Whoever have the access to variables.tf file can see this sensitive data.
One way to fix this declaring the variable in the variables.tf without any default value.
Then while running terraform plan command, it will prompt to enter the key vault secret value and you can provide it.
However, entering values manually is time consuming and error prone.
Other way could be store these values in .tfvars file
But you need to limit the access of the .tfvars file
Reference: Protect Sensitive Input Variables | Terraform - HashiCorp Learn
Upvotes: 1
Related Questions
- terraform on azure - create keyvault with private connection
- Terraform with Azure Key Vault to get secret value
- Terraform create a azure key vault
- Azure Terraform Unable to Set secret in KeyVault during deployment
- How to create secret in existing keyvault with Terraform?
- How to securely build a key vault with secrets with terraform
- Secure management plane's key vault in Terraform
- Terraform Populate secrets from central key vault
- How to add keyvault access policies after importing keyvault into terraform
- Hiding a secret in Terraform for Azure with a caveat