Security and Secrets Management
Table of Contents
Introduction: The Security Incident
Why Infrastructure Security Matters
Attack Surface
Common Attack Vectors
The Cost of Insecurity
Security Principles for Terraform
1. Least Privilege
2. Defense in Depth
3. Zero Trust
4. Immutable Infrastructure
Securing Terraform State
What's in State?
State Security Checklist
Secure Remote Backend (S3)
Secure Remote Backend (Terraform Cloud)
State Access Controls
Secrets Management Strategies
Strategy Comparison
Strategy
Security
Complexity
Cost
Never Hardcode Secrets
Use Sensitive Variables
Environment Variables
Setting Environment Variables
.env File (Local Only)
Environment-Specific Secrets
HashiCorp Vault Integration
What is Vault?
Vault Architecture
Install Vault (Local Development)
Start Vault Dev Server
Store Secrets in Vault
Vault Provider in Terraform
Dynamic Secrets
Sensitive Data in Terraform
Mark Variables Sensitive
Mark Outputs Sensitive
Sensitive in Locals
Conditional Sensitivity
Encryption Patterns
Encrypt Files
SOPS (Secrets OPerationS)
Age Encryption
Provider Credentials Security
AWS Credentials
Azure Credentials
GCP Credentials
Real-World Example: Complete Security Setup
Project Structure
Vault Setup Script
Secure Module
Environment Configuration
.gitignore
Security Scanning
Pre-commit Hooks
Automated Security Scanning
CI/CD Security Gates
Compliance and Auditing
Audit Logging
Compliance Frameworks
Compliance as Code
Secret Rotation
Automated Rotation
Manual Rotation Process
Common Security Mistakes
Mistake 1: Committing Secrets
Mistake 2: Unencrypted State
Mistake 3: Over-Privileged Access
Mistake 4: Logging Sensitive Data
Mistake 5: No Audit Trail
Security Best Practices
1. Never Commit Secrets
2. Encrypt Everything
3. Least Privilege
4. Audit Everything
5. Rotate Regularly
6. Scan Continuously
7. Defense in Depth
What I Learned About Infrastructure Security
1. Security is Not Optional
2. State Files Are Treasure Troves
3. Automation Prevents Human Error
4. Visibility Enables Security
5. Compliance is Easier with Code
6. Least Privilege Works
7. Security is Continuous
Next Steps
Practice Exercises
Coming Up Next
Last updated