1.6 KiB
1.6 KiB
Security
Secrets Management
Environment Variables (Recommended)
export TF_VAR_proxmox_password="secret"
export TF_VAR_api_token="xxxxx"
terraform apply
Sensitive Variables
variable "database_password" {
type = string
sensitive = true # Hidden in logs/plan
}
External Secrets Managers
HashiCorp Vault:
data "vault_generic_secret" "db" {
path = "secret/database"
}
resource "some_resource" "x" {
password = data.vault_generic_secret.db.data["password"]
}
1Password CLI:
export TF_VAR_password="$(op read 'op://vault/item/password')"
terraform apply
State Security
CRITICAL: State contains secrets in plaintext.
Encrypt at Rest
backend "s3" {
encrypt = true
kms_key_id = "arn:aws:kms:..." # Optional KMS
}
Restrict Access
- IAM/RBAC on backend storage
- Enable state locking
- Never commit state to git
Provider Credentials
provider "proxmox" {
pm_api_token_id = "terraform@pve!mytoken"
pm_api_token_secret = var.pm_api_token_secret # From env
}
Create minimal-permission API user:
pveum user add terraform@pve
pveum aclmod / -user terraform@pve -role PVEVMAdmin
pveum user token add terraform@pve terraform-token
Sensitive Outputs
output "db_password" {
value = random_password.db.result
sensitive = true
}
Checklist
- Sensitive vars marked
sensitive = true - Secrets via env vars or secrets manager
- State backend encryption enabled
- State locking enabled
- No credentials in .tf files
- Provider credentials minimal permissions