Managing secrets has become critical to achieving security and compliance in the ever-evolving landscape of DevOps and cloud infrastructure. As you scale your applications and infrastructure, it is paramount to ensure the security of your API keys, database credentials, certificates, etc. However, integrating secrets management seamlessly into your Terraform infrastructure-as-code (IaC) workflows can be challenging.
A “golden path” refers to a set of best practices and standardized workflows that promote consistency, security, and reusability in infrastructure configuration. Adhering to these golden paths not only minimizes errors and boosts security but also makes it easier for new team members to join a project.
In the context of secrets management, golden paths ensure that sensitive data is handled uniformly across all environments. This is crucial for ensuring continuous compliance and cutting the risk of a security breach.
Enter Akeyless, a leading platform offering robust secrets management solutions that integrate seamlessly with tools like Terraform to enhance your IaC practices. In this guide, we’ll explore how to follow the golden paths using Terraform and Akeyless and safeguard secrets declared or used in your infrastructure code from the ground up.
Setting the stage: Integrate your Terraform environment with Akeyless
To set up the Akeyless Terraform provider, there are two main prerequisites:
- An Akeyless Gateway
- An auth method with permission to manage secrets in Akeyless
For example, using an API key auth method to set up your Terraform provider would look like this:
provider "akeyless" {
api_key_login {
access_id = var.akeyless_access_id
access_key = var.akeyless_access_key
}
api_gateway_address = var.akeyless_gateway_api_address
}This adds a deployed Gateway address to your new or existing Terraform code.
Now that you’re ready to explore the full extent of Akeyless features enhanced by the Gateway, let’s discuss how to use them for the best results.
Golden Path #1 – Safely storing secrets with Terraform
Declaring a typical secret in Terraform can be a bit counterintuitive. On the one hand, you’re describing a secret, something that should stay hidden from prying eyes. On the other hand, you have to disclose it to Terraform somehow.
A very bad example of handling secrets
In the worst-case scenario, secrets can end up hard-coded in the module, like this:
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = jsonencode(“secret” = "This should remain secret... Does it?")
}Besides the AWS Secrets Manager, the value intended to be kept private is visible to every repository reader and to Terraform—without any protective measures, for as long as it exists in the state. This can result in terrible consequences.
A seemingly better way to handle secrets… but still insecure
Now, consider the following example:
resource "kubernetes_secret" "example" {
metadata {
name = "topsecret"
namespace = "default"
}
data = {
“topsecret” = var.top_secret_value
}
}In this case, there’s no disclosure in the code per se. In the case of secrets, both the input and output should be marked as sensitive and therefore hidden in the CLI output, providing basic protection. However, this approach still isn’t optimal, as using a Kubernetes secret creates secret sprawl.
Kubernetes secrets also aren’t considered a secure method to store sensitive information. This is due to K8s’ lack of adequate logging and auditing measures, but also because they’re encrypted at rest, but not in transit.
Finally, a better way to store your secrets
In this third example, we’ll try to solve this problem for good, using Akeyless:
variable "my_secret_value" {
sensitive = true
ephemeral = true
}
resource "akeyless_static_secret" "secret" {
path = "terraform/secret"
value = var.my_secret_value
}This way lets you use any safe and convenient method to provide the contents of the secret while Akeyless takes care of the rest—providing resilient encryption, as well as auditing and logging capabilities.
In addition, Akeyless supports popular identity management solutions, such as AWS IAM and Azure AD, and typical authentication methods like API keys or certificates; this allows you to precisely control access to your newly provisioned secret from the Akeyless portal.
Following this golden path, your Terraform secrets can be stored safely. But what about retrieving them once they’re needed?
Golden Path #2 – Safely retrieving secrets in Terraform code
Retrieving secrets safely can be as complex as provisioning them safely. In an ideal scenario, you want to limit the number of involved intermediaries to a minimum and avoid storing them anywhere besides the safest and most reliable manager.
The Akeyless Terraform provider makes this simple. Using an appropriate data source, it lets you retrieve the contents of the secret when you need to provide it as an argument, without disclosing them in code or losing visibility of their usage.
And just like that!
Here’s how you can retrieve a simple API key:
data "akeyless_static_secret" "dev_api" {
path = "terraform/dev_api"
}
resource "example_imaginary_api" {
api_key = data.akeyless_static_secret.dev_api.value
}Similarly, you can also reference dynamic secrets, which are generated every time they are accessed. Instead of juggling long-living credentials for cloud platforms such as AWS, you can safely store them in Akeyless.
Every run, a fresh set of credentials with a limited lifespan
And every time your CI/CD pipeline runs Terraform operations, a separate set of temporary credentials can be requested through the Akeyless Gateway to authenticate with your desired provider platform:
provider "akeyless" {
}
data "akeyless_dynamic_secret" "aws_credentials" {
path = "terraform/aws_credentials"
}
provider "aws" {
region = "us-west-2"
access_key = jsondecode(data.akeyless_dynamic_secret.aws_credentials).access_key
secret_key = jsondecode(data.akeyless_dynamic_secret.aws_credentials).secret_key
}Benefits of Akeyless for your Terraform secrets
Both declaring and retrieving Akeyless-driven secrets in your configuration is quick and simple. Using Akeyless to solve the challenges involved in managing secrets within your Terraform workflows brings numerous benefits:
- Enhanced security: Credentials are no longer hard-coded in configuration files, making accidental exposure much less likely.
- Centralized, simplified management: You can easily update or rotate secrets, manually or automatically, directly in the Akeyless portal — without modifying deployed configuration files.
- Effortless scalability: Akeyless is highly scalable, and maintains high cost-efficiency regardless of how big your needs grow.
- Better observability and granular control: You’ll gain insights into how and when secrets are accessed, as well as methods to precisely control who can access them.
- Easier auditing and compliance management: You can audit all access to sensitive data, effortlessly facilitating adherence to regulatory requirements.
Conclusion
Although Terraform is an extremely popular IaC tool, it is far from perfect, especially in terms of handling secrets as code. Unfortunately, the built-in methods of managing sensitive data within Terraform configurations aren’t enough to provide the level of security required by the modern digital landscape.
In addition, native solutions from cloud service providers, most often deployed through Terraform, are susceptible to misconfiguration, exposing secrets in code before they even reach their safekeeping destination.
You need a better, more in-depth approach to maintain the integrity of your Terraform secrets, as well as proper guidance to stay aligned with best practices. Akeyless fulfills both these objectives, providing golden paths to properly manage secrets within your Terraform configuration and delivering more robust security.
Ready to enhance secrets management in your Terraform workflows and streamline your security practices? Explore Akeyless. Sign up for a demo today.
