Integrating Terraform with Secret Server

Integrating DelineaSecret Server and Terraform enables secure and streamlined secrets management within Terraform infrastructure-as-code (IaC) workflows. It provides a centralized repository for storing and retrieving sensitive information, such as API keys, passwords, and certificates, that Terraform needs while provisioning and managing infrastructure resources.

Use Cases

The Delinea Terraform provider supports secure and automated secrets management. Below are the key supported use cases:

  • Create Secret
    Automatically create a new secret and capture its ID. For password fields, supply the value via the write-only password_value attribute (provider v4.0.0+) so the password is never written to Terraform state, or set generate = true to have Secret Server generate a password from the template's password-requirement policy.
  • Update Secret
    Modify an existing secret directly from your Terraform configuration, including rotating a password by bumping password_wo_version.
  • Get Secret(s): Retrieve a stored secret for use in your infrastructure, either as a persistent resource or as an ephemeral resource that exists only during execution and does not persist values in the state file.
  • Delete Secret: In Delinea Secret Server, secrets are typically deactivated rather than permanently deleted. The terraform destroy command only partially supports this process as it removes secrets that are tracked in the Terraform state, effectively disabling them but not erasing them. To enable true deletion, the Delinea Terraform provider includes a dedicated resource that allows secrets to be deleted by their ID, even if they are not managed within the Terraform state.

    Delete and disable mean the same thing. When a secret is deleted, it is not permanently removed; it is simply disabled. The secret is no longer active but still exists in the background.