Encrypting secrets in Hashicorp Terraform

Recommendations for safely storing secret data
See also

The Terraform provider for Yandex.Cloud lets you encrypt secrets with a KMS key to use them later in a Terraform configuration.

Specify the plaintext and KMS key to be used for encryption in the yandex_kms_secret_ciphertext block:

resource "yandex_kms_secret_ciphertext" "encrypted_strong_password" {
  key_id      = "<key ID>"
  aad_context = "additional authenticated data"
  plaintext   = "strong password"
}

You can then access the ciphertext via the variable ${yandex_kms_secret_ciphertext.encrypted_strong_password.ciphertext}.

Warning

Using yandex_kms_secret_ciphertext lets you hide secrets when deploying an infrastructure. However, in general, it's not safe to openly specify the plaintext and aad_context in a configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

Recommendations for safely storing secret data

Don't explicitly specify the secret values in the configuration file. Read them from storage with restricted access (for example, use secret storage).
Consider storing the Terraform state remotely.

Encrypting secrets in Hashicorp Terraform

Recommendations for safely storing secret data

See also