Protecting Terraform Secrets in GitHub Actions
GitHub Actions offers built-in secrets management that works well with Terraform deployments. This article shows you how to set up GitHub Actions for Terraform, store sensitive data securely, and use these secrets in your infrastructure code. You'll learn practical techniques to keep your automation pipelines running while protecting your credentials from exposure.
Setting Up GitHub Actions for Terraform
The hashicorp/setup-terraform action enables Terraform automation within GitHub Actions pipelines. Create a new workflow file in .github/workflows to run Terraform operations on pull requests and pushes:
name: 'Terraform CI'
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v3
- name: Terraform Init
run: terraform init
- name: Terraform Plan
run: terraform plan
Managing Secrets in GitHub Actions
GitHub Actions encrypts sensitive information at rest and ensures secrets remain inaccessible outside of workflows. To add secrets to your repository:
- Go to your repository's Settings
- Select "Secrets and variables" under "Security"
- Click "New repository secret"
Reference these secrets in your workflow using the secrets context:
name: Terraform Plan
on: [pull_request]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v3
- name: Terraform Init
env:
TF_VAR_api_token: ${{ secrets.API_TOKEN }}
run: terraform init
GitHub Actions automatically redacts secret values from logs and blocks access from untrusted forks or pull requests. The secrets context (${{ secrets.SECRET_NAME }}) ensures sensitive values remain protected during workflow execution.
Integrating Secrets with Terraform Code
Terraform state files store all configuration values, including secrets, in plaintext by default. Use the sensitive attribute to prevent accidental exposure in logs and outputs, but always use a secure backend (e.g. AWS S3 with encryption) to store state safely.
variable "api_token" {
type = string
sensitive = true
description = "API token for authentication"
}
provider "aws" {
region = "us-west-2"
}
For database credentials and other sensitive data:
variable "database_password" {
type = string
sensitive = true
description = "Password for database access"
}
resource "aws_db_instance" "example" {
password = var.database_password
# Additional configuration...
}
AWS credentials should never be stored in Terraform variables. Instead, use IAM roles, AWS profiles, or environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) to authenticate securely.
Building Secure Infrastructure Automation
Proper secrets management isn't optional: it's a fundamental requirement for infrastructure automation. GitHub Actions' secrets management combined with Terraform's security features creates a strong framework for protecting sensitive data throughout the deployment pipeline.
Terrateam extends these capabilities with automated planning, cost estimation, and environment-specific policies. By implementing these practices and tools, teams can automate infrastructure deployments without compromising security. The result is a deployment pipeline that moves fast while keeping credentials locked down.
Top comments (0)