How can I manage secrets in .tf and .tfstate?



I would like to use the Terraform MySQL Provider to keep a list of mysql users and grants handy for creating new test environments. The .tf and .tfstate files both seem to want to store the MySQL passwords in plaintext.

Concerning .tf:

It is my understanding that .tf files live in revision control and are maintained by a team. How does that practice differ when secrets are in the .tf? It is possible to encrypt these values at all?

Concerning .tfstate:

I can store the .tfstate securely somewhere after running Terraform apply, but it would be preferable for this use case to not store it at all?

Anthony Neace

Posted 2017-02-28T18:14:01.187

Reputation: 1 274



Terraform supports adding an additional file with variables during invocation.


We are using that feature to provide a secrets.tfvars file on each invocation of Terraform. We also use a script to wrap the command so that its invocation is consistent, and all team members avoid having to make the same mistakes. The wrapper synchronizes .tfstate with S3 before an execution, and pushes .tfstate back to S3 at the end. I also hear of people doing the same thing with state stored in Consul, even adding a kind of semaphore in consul to prevent two people from starting Terraform at the same time.

When you avoid setting a default value in a file, it forces the user to input the value. It can be either entered manually or using the -var-file command option like described above. Not setting a default on your secrets is a good way to enforce changes that require a change in secrets.

The secrets.tfvars file is a symbolic link to one of the files with secrets which are not stored in version control. We have several, one per environment, like so secrets-prod.tfvars, secrets-dev.tfvars, secrets-stg.tfvars, etc...

An even better practice would be to generate these secrets files during the wrapper script based on data in Vault or some other way to share secrets. Since currently when the format of secrets changes, or secrets themselves, we need to communicate it to the team outside the version control channel - and this doesn't always work well, to be honest. But secrets do change infrequently.


Posted 2017-02-28T18:14:01.187

Reputation: 7 247


Link to code -

Evgeny 2017-04-03T09:31:04.530


We avoid terraform handle our secrets. Even if you manage to inject secrets by a var file "secrtes.tfvars" as pointed out above, these secrets will be stored in your terraform (remote-)state.

You can protect remote-state files by using e.g. S3 authorization, or you can gitignore local state files but we decided not to rely on this kind of protection.


Posted 2017-02-28T18:14:01.187

Reputation: 141


Also check which is where they track the issue of tfstate leaking secrets

jottr 2017-10-02T19:34:13.230


If you're on AWS, then have a look at "The Right Way to Manage Secrets" by on the AWS Blog. We advocate using chamber to all of our customers for managing secrets. It works by leveraging the AWS Systems Manager Parameter Store (SSM) together with KMS keys. This ensures secrets are encrypted at rest (and in transit), secured with IAM, auditable with CloudTrails, and only exposed as environment variables at run-time.

After configuring chamber and setting up the KMS key, we write the secrets to the parameter store.

chamber write db TF_VAR_DB_USER foobar
chamber write db TF_VAR_DB_PASS secret

Then use those secrets when you call terraform.

chamber exec db -- terraform plan

This assumes you've defined a variable called DB_USER and DB_PASS in your HCL code.

For example, you could add this to

variable "DB_USER" { }
variable "DB_PASS" { }

NOTE: chamber will always export environment variables in uppercase

We provide a terraform module called terraform-aws-kms-key to make provisioning the KMS key easy. Check out our detailed documentation with examples of how to use chamber with multiple namespaces as well as how to use chamber with terraform to manage secrets. See our complete reference example for provisioning chamber dependencies.

As for .tfstate, you bring up a really good point about the existence of plain-text secrets in the state file. There's really no way around this. In order for terraform to calculate changes to build a plan, it needs to know the "before" and "after" state. For this reason, we recommend using an encrypted S3 bucket with mandatory versioning. Use the terraform-aws-tfstate-backend module to provision a bucket and DynamoDB locking table according to best practices.

Erik Osterman

Posted 2017-02-28T18:14:01.187

Reputation: 246

This is highly tied to AWS services, which the question doesn't mention and sounds not really an answer for on premise infrastructures or any other cloud.Tensibai 2018-07-27T08:21:27.143

@tensibai, you are correct. The original question does not provide enough information to ascertain the operating platform in order to make the best recommendation. Every platform will be different depending on platform capabilities. On prem or baremetal users may want to consider using a combination of Vault and Terraform Enterprise. The scope of implementing that will be much, much greater. :)Erik Osterman 2018-07-27T20:42:25.440

I already use AWS Secrets Manager and dont want to use chamber and Parameter Store. Is it possible to do this same thing with Secrets Manager too?red888 2019-01-21T16:19:06.620


To import secrets into .tf files, you can also use an external data source. This could be e.g. a script which decrypts your secrets.


Posted 2017-02-28T18:14:01.187

Reputation: 131


I looked at a few different ways but I particularly liked git-crypt for an adhoc thing to do before implementing something bigger like Vault.


Posted 2017-02-28T18:14:01.187

Reputation: 587

2to thoe who downvoted, please explain why.jottr 2017-10-02T19:43:11.343