This Terraform module provides a standard and extensible way of managing secrets from different sources, making them accessible through local.secrets["<SECRET_NAME>"]. It's designed to create an abstract interface for dealing with secrets in Terraform, regardless of the source of these secrets.
Our initial version is built to handle SOPS secrets, but it is designed in a way that it can be easily extended to support other secret providers like AWS SSM Parameter Store, Vault, and more in the future.
This module can be included as a child module, where needed, to fetch secrets and provide them in an abstract manner.
It's 100% Open Source and licensed under the APACHE2.
Copy exports/secrets.sops.tf to your project by running the following command:
curl -sL https://raw.githubusercontent.com/masterpointio/terraform-secrets-helper/main/exports/secrets.sops.tf -o secrets.sops.tfThe mixin incorporates the invocation of this module, so you simply need to configure the required secret_mapping variable and then reference it within your code.
See the full example in examples/complete
secret_mapping = [{
name = "db_password"
file = "test.yaml"
type = "sops"
}]
output "db_password" {
value = jsonencode(local.secrets["db_password"])
sensitive = true
}While the current version is specific to SOPS, future mixins will support other secret providers like SSM Parameter Store, Vault, and more. The future mixins will include all necessary provider configuration for themselves, making the process of integrating with different secret providers seamless.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| sops | >= 0.7 |
| Name | Version |
|---|---|
| sops | >= 0.7 |
No modules.
| Name | Type |
|---|---|
| sops_file.sops_secrets | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| secret_mapping | The list of secret mappings the application will need. This creates secret values for the component to consume at local.secrets[name]. |
list(object({ name = string type = optional(string, "sops") path = optional(string, null) file = string })) |
[] |
no |
| Name | Description |
|---|---|
| all | The final secrets pulled from various sources. |