zhongwei/gh-poindexter12-waypoint-technologies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
18faa0569e17e86839d4e976bf5b3333a9a2a169
gh-poindexter12-waypoint-te…/skills/terraform/references/security.md
Zhongwei Li 18faa0569e Initial commit
2025-11-30 08:47:38 +08:00

1.6 KiB
Raw Blame History

Security

Secrets Management

Environment Variables (Recommended)

export TF_VAR_proxmox_password="secret"
export TF_VAR_api_token="xxxxx"
terraform apply

Sensitive Variables

variable "database_password" {
  type      = string
  sensitive = true  # Hidden in logs/plan
}

External Secrets Managers

HashiCorp Vault:

data "vault_generic_secret" "db" {
  path = "secret/database"
}

resource "some_resource" "x" {
  password = data.vault_generic_secret.db.data["password"]
}

1Password CLI:

export TF_VAR_password="$(op read 'op://vault/item/password')"
terraform apply

State Security

CRITICAL: State contains secrets in plaintext.

Encrypt at Rest

backend "s3" {
  encrypt    = true
  kms_key_id = "arn:aws:kms:..."  # Optional KMS
}

Restrict Access

  • IAM/RBAC on backend storage
  • Enable state locking
  • Never commit state to git

Provider Credentials

provider "proxmox" {
  pm_api_token_id     = "terraform@pve!mytoken"
  pm_api_token_secret = var.pm_api_token_secret  # From env
}

Create minimal-permission API user:

pveum user add terraform@pve
pveum aclmod / -user terraform@pve -role PVEVMAdmin
pveum user token add terraform@pve terraform-token

Sensitive Outputs

output "db_password" {
  value     = random_password.db.result
  sensitive = true
}

Checklist

  • Sensitive vars marked sensitive = true
  • Secrets via env vars or secrets manager
  • State backend encryption enabled
  • State locking enabled
  • No credentials in .tf files
  • Provider credentials minimal permissions
Reference in New Issue View Git Blame Copy Permalink