Secure Storing of User Data

For security measures, avoid storing user credentials in the .tfvars file and state data in the .tfstate file in plain text. See the information below for methods to securely store user data.

Storing User Credentials in Environment Variables

You can pass user credentials to Terraform via the tss_server_url, tss_username, and tss_password environment variables. You must add the prefix TF_VAR_ before these variable names so that Terraform will automatically fetch the values from these environment variables.

Set the environment variables as the following:

For Linux

$ export TF_VAR_tss_username="my_app_user"

$ export TF_VAR_tss_password="Password."

$ export TF_VAR_tss_server_url="https://localhost/SecretServer"

For Windows

> set TF_VAR_tss_username="my_app_user"

> set TF_VAR_tss_password="Password."

> set TF_VAR_tss_server_url="https://localhost/SecretServer"

After setting these environment variables, you no longer need to store credentials in the .tfvars file. You can also execute terraform apply or terraform plan commands.

Encrypting Terraform State file using Script Wrapper

Terraform offers several backends, such as AWS S3 and Azure Blob Storage, to securely store state files, which include built-in state-locking mechanisms. However, when state files are stored locally, you must manually encrypt the data to ensure security.

To encrypt or decrypt state file data during the Terraform workflow, encrypt the state file before running Terraform commands and decrypt it afterward. You can encrypt by creating script wrappers around Terraform commands like Terraform init, Terraform apply, and Terraform destroy.

Rather than running these commands directly, execute them from a script where encryption and decryption are handled before and after each command. To download the script, click here.

To run the commands from a script:

  1. Place the Terraform command wrapper scripts in the executable directory created during the Terraform configuration process. This directory must contain .tf and .tfvars files.

    1. Wrapper scripts for Windows: terraform_init.bat, terraform_apply.bat, terraform_destroy.bat.

    2. Wrapper scripts for Linux: terraform_init.sh, terraform_apply_sh, terraform_destroy.sh.

  2. Set the user credentials to access the secret server in the environment variable. For instructions, refer to Storing User Credentials in Environment Variables.

  3. Run the Terraform command wrapper scripts one by one.

The state file encryption and decryption utilize AES-GCM for secure encryption (confidentiality and integrity) and PBKDF2 for deriving the encryption key from a passphrase.

The encryption flow (EncryptFile) consists of the following steps:

  1. File Check & Load: Verifies file existence and reads content.

  2. Key Derivation: Generates a key using PBKDF2 with a random salt and passphrase.

  3. AES-GCM Encryption: Encrypts data using AES-GCM with a random nonce for confidentiality and integrity.

  4. Output: Prepends the salt (key), encodes in Base64, and writes back to the file.

The steps for the decryption flow (DecryptFile) are the following:

  1. File Check & Load: Reads and decodes Base64 content.

  2. Key Derivation: Reconstructs the key using the extracted salt and passphrase.

  3. AES-GCM Decryption: Decrypts the data, validating integrity via the GCM tag.

  4. Output: Writes decrypted data back to the file.