Updated: Aug 9, 2020

Hello Readers, hope you are doing good and enjoying the articles on Terraform. This is the eighth part of the series, if you have missed the previous parts, feel free to read them once for better understanding.

In this part, we are going to look upon how to configure credentials in a secure manner so that they are hard to compromise and in the end, we are going to look upon how we can encrypt sensitive information while working with Terraform. So let's begin...

Handling access and secret keys the right way

Till now, we have been hard coding the aws-region parameter within the

But this is not the best way to do things as keys can be compromised and moreover when we will put our code to GitHub repositories, keys would be visible.

To get rid of this we should always configure keys via awscli

Steps to install awscli on a centos system is as below

  • Login with root user on the Linux box (normal user should have sudo access)

  • yum install epel-release

  • yum install python-pip -y

  • pip install awscli

  • aws configure

  • If we are using an ec2 instance to use terraform, we can attach a role as well with admin access and completely get rid of keys.

  • If we do any of the above approaches, we can remove credentials from

Provider use case: Resources in multiple regions

In scenarios where specific resources have to be created in different regions, provider configuration provides us with a feature of the alias which helps in configuring resources in different regions.

Handling Multiple AWS profiles with providers

AWS allows us to work with multiple AWS accounts (account profiles)

If in case we have to deal with multiple accounts, we can change and make changes to it like below.

Let's say we have to create an elastic IP.

resource "aws_eip" "myeip" {
 vpc = "true"
resource "aws_eip" "myeip01" {
 vpc = "true"
 provider = "aws.aws02"
provider "aws" {
 region = "us-east-1"
provider "aws" {
 alias = "aws02"
 region = "ap-south-1"
 profile = "project1"

Assume Role with STS in Terraform

Here we can create a role with all the required permissions and ask to terraform to assume this role by mentioning the below configuration.

 provider "aws" {
  assume_role {
  role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
  session_name = "SESSION_NAME"
  external_id = "EXTERNAL_ID"

All in all, we learned here the best practices related to the security of Terraform. We should always try to avoid the use of access keys with Terraform.

Handling Sensitive data

Let’s say that there are values in terraform configuration or some output values that are sensitive and should not be displayed on the screen, we can declare that variable as sensitive as shown below

Code is available for reference at: LinuxAdvise GitHubRepo

Thanks for reading :)

328 views0 comments

Subscribe Form

©2020 by Linux Advise