Decide on Secrets Management Strategy for Terraform
Deciding how to store secrets is crucial for securing both platform integration and application data when using Terraform. The appropriate secret store depends on the stack layer and must account for situations where other infrastructure might not yet be in place (e.g. Vault, Kubernetes, etc).
We need to decide where secrets will be kept. We’ll need to be able to securely store platform integration secrets (e.g. master keys for RDS, HashiCorp Vault unseal keys, etc) as well as application secrets (any secure customer data).
One consideration is that a self-hosted solution won’t be available during cold-starts, so a hosted/managed solution like ASM/SSM is required.
-
e.g. Vault deployed as helm chart in each tenant environment using KMS keys for automatic unsealing (this chart already exists)
-
SSM Parameter Store + KMS for all platform-level secrets used by
infrastructure
and Terraform -
AWS Secrets Manager supports automatic key rotation which almost nothing other than RDS supports and requires applications to be modified in order to use it to the full extent.
Recommendation
We will use AWS SSM Parameter Store for all platform-level secrets used by infrastructure
and Terraform.