Introduction
When configuring infrastructure, you often need to use sensitive data such as usernames, passwords, API tokens, or Personally Identifiable Information (PII). It's important to prevent this information from being exposed in CLI output, logs, or source control. Terraform offers several features to help protect sensitive data and reduce the risk of accidental exposure.
Requirements
- Latest Terraform installed locally
- An AWS Account
- A HCP Terraform account with HCP Terraform locally authenticated.
- A HCP Terraform variable set configured with your AWS credentials.
- VS Code.
Create Infrastructure
- Clone the Learn Terraform sensitive variables GitHub repository for this tutorial by running the following command:
git clone https://github.com/hashicorp-education/learn-terraform-sensitive-variables
- Change to the repository directory.
cd learn-terraform-sensitive-variables
The configuration in main.tf sets up a web application by provisioning a VPC, a load balancer, a set of EC2 instances and a database.
- Open your terraform.tf file and uncomment the cloud block. Then, replace the placeholder organization name with your own HCP Terraform organization name.
- Run
terraform initto initialize your configuration. Terraform will automatically create the learn-terraform-sensitive-variables workspace in your HCP Terraform organization.
- Run
terraform applyto apply the configuration.
- Your workspace now displays the list of all of the resources it manages.
Refactor database credentials
Open main.tf in your text editor and scroll to the bottom of the file to locate the aws_db_instance.database block. Currently, the database username and password are hard-coded, which is not a best practice. Refactor this configuration by removing the hard-coded credentials.
To start, declare input variables for the database administrator username and password in variables.tf.
variable "db_username" {
description = "Database administrator username"
type = string
sensitive = true
}
variable "db_password" {
description = "Database administrator password"
type = string
sensitive = true
}
- Notice that you've declared the variables as sensitive. Now update main.tf to reference these variables.
If you run terraform apply now, Terraform will prompt you to provide values for the newly added variables, since they don’t have default values. However, manually entering these values can be time-consuming and error-prone—especially for sensitive data like credentials.
Next, you’ll explore two different methods for setting these sensitive variable values and understand the security implications of each approach.
Set values with a .tfvars file
Terraform allows you to set variable values using variable definition files (.tfvars). You can use multiple .tfvars files in a configuration, and it's common practice to use a separate file specifically for sensitive or secret values to better manage and isolate them.
- Create a new file called secret.tfvars to assign values to the new variables.
db_username = "admin"
db_password = "insecurepassword"
- Apply these changes using the -var-file parameter. Respond to the confirmation prompt with yes.
terraform apply -var-file="secret.tfvars"
Set values with variables
Set the database administrator username and password using environment variables for Terraform variables for HCP Terraform.
HCP Terraform offers secure variable management by encrypting all variable values and allowing you to mark them as sensitive during creation.
Marking a variable as sensitive makes it write-only—its value cannot be viewed in the HCP Terraform UI or retrieved via the Variables API. Users with appropriate permissions can update the value, but to change any other attribute (like the variable key or sensitivity setting), the variable must be deleted and recreated.
To proceed, navigate to the Variables page of your learn-terraform-sensitive-variables workspace in HCP Terraform.
Create the input variables shown below, and be sure to mark each one as Sensitive by checking the corresponding box.
| Key | Value |
|---|---|
| db_username | admin |
| db_password | adifferentpassword |
- Now, run terraform apply, and Terraform will assign these values to your new variables.
Reference sensitive variables
Sensitive variables in Terraform behave like any other variables in your configuration. However, Terraform automatically redacts their values from command-line output and logs, and it will raise an error if it detects that a sensitive value may be exposed.
Now, add the following output values to outputs.tf.
output "db_connect_string" {
description = "MySQL database connection string"
value = "Server=${aws_db_instance.database.address}; Database=ExampleDB; Uid=${var.db_username}; Pwd=${var.db_password}"
}
- Now apply this change. Terraform will raise an error, since the output is derived from sensitive variables.
- Flag the database connection string output as sensitive, causing Terraform to hide it.
- Apply this change to see that Terraform will now redact the database connection string output. Respond to the confirmation prompt with yes to apply these changes.
Thanks for staying till the end
