Security and Secrets Management

The day we found AWS credentials in Git taught me that infrastructure security isn't optional

Table of Contents

1. Introduction: The Security Incident

2. Why Infrastructure Security Matters

3. Security Principles for Terraform

4. Securing Terraform State

5. Secrets Management Strategies

6. Environment Variables

7. HashiCorp Vault Integration

8. Sensitive Data in Terraform

9. Encryption Patterns

10. Provider Credentials Security

11. Real-World Example: Complete Security Setup

12. Security Scanning

13. Compliance and Auditing

14. Secret Rotation

15. Common Security Mistakes

16. Security Best Practices

17. What I Learned About Infrastructure Security

18. Next Steps

Introduction: The Security Incident

It was a Tuesday morning when our security team sent the Slack message that made my stomach drop:

Security Alert: AWS credentials found in public GitHub repository

I clicked the link. There, in our Terraform repository's commit history, were AWS access keys in plain text. A developer had committed them six months ago while debugging. The repository had been public for three of those months.

The credentials had administrative access.

We spent the next 72 hours:

• Rotating every credential

• Auditing all AWS activity

• Implementing secrets management

• Re-educating the entire team

• Dealing with a security audit

The damage:

• $4,000 in unauthorized EC2 instances (crypto mining)

• 120 hours of team time

• A very uncomfortable conversation with leadership

• Mandatory security training for everyone

That incident transformed how we handle secrets in Terraform.

I learned:

• Never commit secrets to version control

• State files contain secrets and must be secured

• Secrets management is not optional

• Encryption at rest is table stakes

• Access controls prevent most breaches

This article is everything I learned about securing Terraform infrastructure, from basic secrets management to enterprise-grade security.

Why Infrastructure Security Matters

Attack Surface

Infrastructure as code exposes:

• Cloud provider credentials

• Database passwords

• API keys

• Encryption keys

• SSH keys

• Service account tokens

One compromised credential can:

• Destroy infrastructure

• Steal data

• Mine cryptocurrency

• Deploy malware

• Exfiltrate secrets

Common Attack Vectors

The Cost of Insecurity

Direct costs:

• Unauthorized resource usage

• Data breach penalties

• Incident response

• Security audits

Indirect costs:

• Lost productivity

• Reputation damage

• Customer trust

• Regulatory scrutiny

Security Principles for Terraform

1. Least Privilege

Grant minimum permissions necessary.

Bad:

Good:

2. Defense in Depth

Multiple layers of security.

3. Zero Trust

Never trust, always verify.

Principles:

• Verify every access

• Encrypt everything

• Assume breach

• Continuous validation

4. Immutable Infrastructure

Prevent runtime changes.

Benefits:

• No configuration drift

• Predictable deployments

• Easy rollbacks

• Audit trail

Securing Terraform State

State files contain secrets in plain text.

What's in State?

Common secrets in state:

• Database passwords

• API keys

• Private keys

• Access tokens

• Connection strings

State Security Checklist

✅ Use remote backend ✅ Enable encryption at rest ✅ Enable encryption in transit ✅ Use state locking ✅ Implement access controls ✅ Enable versioning ✅ Configure backups ✅ Audit access

Secure Remote Backend (S3)

S3 bucket policy:

Secure Remote Backend (Terraform Cloud)

Benefits:

• Encryption by default

• Access controls built-in

• Audit logging

• State versioning

• Remote execution

State Access Controls

AWS IAM policy:

Secrets Management Strategies

Strategy Comparison

Never Hardcode Secrets

❌ NEVER DO THIS:

Use Sensitive Variables

Environment Variables

Simple secrets management for local development.

Setting Environment Variables

Linux/macOS:

Windows PowerShell:

Windows CMD:

.env File (Local Only)

❌ DO NOT COMMIT .env FILES

.env:

.gitignore:

Load .env:

Environment-Specific Secrets

Load script:

HashiCorp Vault Integration

Enterprise-grade secrets management.

What is Vault?

HashiCorp Vault provides:

• Centralized secrets storage

• Dynamic secrets generation

• Encryption as a service

• Access control

• Audit logging

• Secret rotation

Vault Architecture

Install Vault (Local Development)

Start Vault Dev Server

Store Secrets in Vault

Vault Provider in Terraform

Dynamic Secrets

Vault can generate temporary credentials.

Example: Database credentials

Terraform usage:

Benefits:

• Credentials expire automatically

• No manual rotation needed

• Unique credentials per user/service

• Audit trail of all access

Sensitive Data in Terraform

Mark Variables Sensitive

Effect:

Output:

Mark Outputs Sensitive

Sensitive in Locals

Conditional Sensitivity

Encryption Patterns

Encrypt Files

Generate encryption key:

Encrypt file:

In Terraform:

SOPS (Secrets OPerationS)

Install:

Encrypt with SOPS:

In Terraform:

Age Encryption

Install:

Generate key:

Encrypt:

Decrypt:

Provider Credentials Security

AWS Credentials

❌ NEVER:

✅ Use AWS Profile:

~/.aws/credentials:

✅ Use IAM Role:

✅ Use Environment Variables:

Azure Credentials

✅ Use Azure CLI:

✅ Use Service Principal:

GCP Credentials

✅ Use gcloud:

✅ Use Service Account:

Real-World Example: Complete Security Setup

Complete production-ready security implementation.

Project Structure

Vault Setup Script

vault/config/setup.sh:

Secure Module

modules/secure-service/variables.tf:

modules/secure-service/main.tf:

modules/secure-service/outputs.tf:

Environment Configuration

environments/production/main.tf:

.gitignore

Security Scanning

Pre-commit Hooks

Install:

.pre-commit-config.yaml:

Install hooks:

Automated Security Scanning

CI/CD Security Gates

.github/workflows/security.yml:

Compliance and Auditing

Audit Logging

Enable CloudTrail (AWS):

Vault Audit Logging:

Compliance Frameworks

CIS Benchmarks:

SOC 2:

• Audit all state access

• Encrypt all data

• Implement access controls

• Log all changes

HIPAA:

• Encrypt PHI

• Access controls

• Audit trails

• Data retention

GDPR:

• Data encryption

• Access logging

• Right to deletion

• Data residency

Compliance as Code

Policy (compliance.rego):

Secret Rotation

Automated Rotation

Manual Rotation Process

1. Generate new secret:

2. Run Terraform:

3. Verify:

4. Update dependent services

5. Remove old secret

Common Security Mistakes

Mistake 1: Committing Secrets

Problem:

Solution:

Mistake 2: Unencrypted State

Problem:

Solution:

Mistake 3: Over-Privileged Access

Problem:

Solution:

Mistake 4: Logging Sensitive Data

Problem:

Solution:

Mistake 5: No Audit Trail

Problem: No logging of who accessed what when.

Solution:

• Enable CloudTrail

• Enable Vault audit logging

• Log Terraform operations

• Monitor access patterns

Security Best Practices

1. Never Commit Secrets

✅ Use Vault or similar ✅ Use environment variables ✅ Encrypt files ✅ Use .gitignore ❌ Never hardcode

2. Encrypt Everything

✅ State at rest ✅ State in transit ✅ Secrets storage ✅ Configuration files

3. Least Privilege

✅ Minimal permissions ✅ Time-limited access ✅ Role-based access ✅ Regular audits

4. Audit Everything

✅ Log all access ✅ Monitor patterns ✅ Alert on anomalies ✅ Regular reviews

5. Rotate Regularly

✅ Automate rotation ✅ Short-lived credentials ✅ Track rotation dates ✅ Test rotation process

6. Scan Continuously

✅ Pre-commit hooks ✅ CI/CD scanning ✅ Regular audits ✅ Dependency updates

7. Defense in Depth

✅ Multiple security layers ✅ Assume breach ✅ Verify everything ✅ Continuous improvement

What I Learned About Infrastructure Security

1. Security is Not Optional

That Tuesday morning AWS incident taught me: one leaked credential can destroy everything.

Security must be baked in from day one.

2. State Files Are Treasure Troves

State contains every secret in your infrastructure.

Treat state files like the crown jewels.

3. Automation Prevents Human Error

Manual secret management fails.

Automated systems (Vault, KMS) work.

4. Visibility Enables Security

You can't secure what you can't see.

Logging and monitoring are essential.

5. Compliance is Easier with Code

Policy as code enforces compliance automatically.

Manual checks don't scale.

6. Least Privilege Works

Give minimum permissions needed.

Over-privileged access is a liability.

7. Security is Continuous

Security is not a one-time setup.

Continuous scanning, rotation, and improvement.

Next Steps

Congratulations! You've mastered Terraform security:

✅ Securing state files ✅ Secrets management strategies ✅ HashiCorp Vault integration ✅ Encryption patterns ✅ Provider credentials security ✅ Security scanning ✅ Compliance and auditing ✅ Secret rotation

Practice Exercises

Exercise 1: Secure Your State

Exercise 2: Implement Vault

Exercise 3: Security Scanning

Coming Up Next

In Article 10: Advanced Modules and Composition - Building Complex Infrastructure, we'll explore:

• Complex module patterns

• Module composition strategies

• Mono-repo vs multi-repo

• Module versioning strategies

• Registry best practices

• Testing complex modules

Security protects your infrastructure. Advanced modules organize it.

This Week's Challenge: Audit your Terraform projects for security issues. Encrypt state, remove hardcoded secrets, implement Vault or similar secrets management.

See you in Article 10! 🔒

"That AWS credential leak cost us $4,000 and 72 hours of crisis management. Now every secret goes through Vault, every state file is encrypted, and we sleep better at night." - Me, security-first now