Decide on Secrets Management Strategy for Terraform

Deciding where to store secrets is crucial for securing both platform integration and application data when using Terraform. The appropriate secret store depends on the stack layer and must account for situations where other infrastructure might not yet be in place (e.g. Vault, Kubernetes, etc).

We need to decide where secrets will be kept. We’ll need to be able to securely store platform integration secrets (e.g. master keys for RDS, HashiCorp Vault unseal keys, etc) as well as application secrets (any secure customer data).

One consideration is that a self-hosted solution won’t be available during cold-starts, so a hosted/managed solution like ASM/SSM is required.

• e.g. Vault deployed as helm chart in each tenant environment using KMS keys for automatic unsealing (this chart already exists)

• SSM Parameter Store + KMS for all platform-level secrets used by infrastructure and terraform

• AWS Secrets Manager supports automatic key rotation which almost nothing other than RDS supports and requires applications to be modified in order to use it to the full extent.

Related

• Use SSM over ASM for Infrastructure
• Decide on 1Password Strategy