tags : Infrastructure, Security
Ways to handle secrets
Parameter way using TFstate + SOPS
- We don’t NEED to use AWS secrets manager to use SOPS, only KMS helps.
- We then use the locally encrpyted secret to create secret manager resource, which is nice but then we again store the secret itself in plain text in the tfstate file! which again need to be encrypted.
- So SOPS is independent of whether we use it to create AWS secrets manager secrets or AWS SSM Parameter store Secrert String, eitherway secret is getting stored in plaintext in tfstate file
- We need to treat terraform statefile as secret itself
- Access control
- enctrypted
Links
- Using AWS Secrets Manager with SOPS · GitHub
- Manage Kubernetes secrets with Mozilla SOPS | Harness Developer Hub
- Usage · SOPS
- GitHub - carlpett/terraform-provider-sops: A Terraform provider for reading Mozilla sops files
- State: Sensitive Data | Terraform | HashiCorp Developer
Other use of SOPS
- In some cases you can use SOPS to store secrets but use AWS KMS
- Then use it for other things.
- But then using those secrets to set things in terraform defeats the purpose yet again because you’ll be storing secrets back in plaintext in tfstate files
- You’ll have your tfstate file encrypted by the s3 backend, yes but still
TFstate (try not to store secrets)
- Manually create secrets
- Makefile helper to create secrets
- This is hybrid and this is more ideal for us but needs some decipline around naming convention