Terraform has transformed how teams deploy and manage infrastructure, but with great power comes great responsibility—especially when it comes to managing secrets. Whether you’re working with API keys, database credentials or cloud provider tokens, exposing secrets can open the door to major security risks.
Using tools like Vault or AWS Secrets Manager can help you manage secrets securely in Terraform projects. This blog explores how both tools work, how to use them, and how to integrate secret management into your infrastructure as code (IaC) practices.
Why secret management in Terraform matters
Secrets are everywhere in Terraform—AWS keys, database passwords, third-party tokens, and more. If left unprotected, these values can end up exposed in version control, logs or even Terraform state files.
Modern DevOps pipelines move fast, and without a clear approach to secret management, it’s easy to introduce critical vulnerabilities. Hardcoding secrets in code is not just bad practice—it’s a compliance and audit nightmare.
What are the risks of hardcoding secrets?
Hardcoding secrets directly into Terraform configuration files is one of the most common mistakes. Here’s why it’s dangerous:
- Git exposure: Once secrets are pushed to a Git repository, even deleting them doesn’t erase their history.
- Logged values: Terraform logs might capture these secrets, exposing them unintentionally.
- Shared environments: Multiple team members with access to code gain access to sensitive data.
- Compliance failure: Hardcoded secrets often violate SOC 2, HIPAA or GDPR compliance.
In short, hardcoding secrets is an open invitation for breaches and data leaks.
Using Vault with Terraform
Vault by HashiCorp is a highly secure secrets management system designed for dynamic infrastructure. It works seamlessly with Terraform through a provider integration, allowing you to fetch secrets securely at runtime.
To integrate Vault with Terraform, you’ll typically authenticate using AppRole or Vault Agent, then retrieve secrets using the vault_generic_secret data source.
How does Vault protect secrets?
Vault provides a rich set of features tailored for secure IaC environments:
- Dynamic secrets: Generate secrets on-demand that auto-expire after a short TTL.
- Encryption: Secrets are encrypted at rest and in transit using strong encryption methods.
- Access control: Policies define exactly who can access what, with audit logs for traceability.
- Secret rotation: Vault supports automated rotation for many common secret types.
By decoupling secrets from code, Vault ensures sensitive values are never hardcoded or exposed.
Using AWS Secrets Manager with Terraform
AWS Secrets Manager is a fully managed service to store, retrieve and rotate secrets in AWS. It integrates naturally with Terraform using the aws_secretsmanager_secret and aws_secretsmanager_secret_version resources.
You can use IAM policies to define access to secrets, making it easy to secure usage across services and teams.
Why use AWS Secrets Manager?
Here’s why many teams prefer AWS Secrets Manager for Terraform:
- KMS encryption: Secrets are encrypted using AWS Key Management Service.
- IAM integration: Access is controlled through IAM roles and policies.
- Auto-rotation: Rotate secrets automatically using Lambda functions.
- Audit-ready: Integrated with CloudTrail for full logging and auditing.
As a managed service, it reduces operational overhead and fits perfectly within AWS-native stacks.
Can Terraform rotate secrets automatically?
Yes but with caveats.
- Vault supports dynamic secrets that rotate automatically with TTL-based expiry. For example, you can generate short-lived database credentials on the fly.
- AWS Secrets Manager allows automatic rotation using Lambda functions, which can be scheduled per secret.
However, Terraform itself doesn’t initiate rotation. Instead, it retrieves the latest version of a secret managed by Vault or AWS Secrets Manager.
To rotate secrets automatically, pair Terraform with a properly configured Vault or Secrets Manager setup.
Read this guide to know more: Mastering Terraform Modules: An Insightful Guide With Best Practices
Vault vs AWS Secrets Manager
| Feature | Vault | AWS Secrets Manager |
| Deployment | Self-hosted or managed | Fully managed (AWS) |
| Access control | Vault policies | IAM roles and policies |
| Rotation | Dynamic TTL-based secrets | Lambda-based auto-rotation |
| Audit logging | Integrated | CloudTrail integration |
| Best use case | Multi-cloud, dynamic secrets | AWS-native applications |
Choose Vault if you need tight control, dynamic secrets or multi-cloud support. Choose Secrets Manager if you’re fully in AWS and prefer managed services.
How to avoid committing secrets to Git
Here are ways to make sure secrets never land in source control:
- Use .gitignore to exclude .tfvars, .env, or sensitive config files.
- Use Vault or AWS Secrets Manager to keep secrets outside your codebase.
- Environment variables: Load secrets via environment settings in CI/CD tools.
- Terraform Cloud/Enterprise: Manage sensitive variables securely within workspaces.
- Pre-commit hooks: Scan code for sensitive strings before pushing.
Version control is for code, not secrets.
Best practices for secure IaC
To build secure and compliant Terraform workflows, follow these practices:
- Never hardcode secrets in .tf files
- Use dedicated secrets management tools like Vault or Secrets Manager
- Regularly rotate secrets
- Audit access logs and secret usage
- Assign minimum necessary access through policies
- Version and backup your secret stores
- Scan for exposed secrets in your repos and pipelines
Secure secrets are the foundation of secure infrastructure.
Conclusion
Managing secrets in Terraform securely using Vault or AWS Secrets Manager is no longer optional—it’s a foundational part of building secure, scalable, and compliant infrastructure.
While both Vault and AWS Secrets Manager are excellent choices, your use case, cloud footprint, and team maturity will guide which one fits better. The key takeaway is simple: never store secrets in code, and always use purpose-built tools to manage them.
Start securing your Terraform deployments today. Talk to us about integrating Vault or AWS Secrets Manager into your workflow.
BDCC