Skip to content
Terraform secret provider
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Explicitely put name of Digital Asset on sponsors. Apr 3, 2019

Terraform secret Provider 💜

The secret provider has one mission: store secrets in the Terraform state.

Please be careful about your security stance before adopting this!

The main goal of this provider is that a lot of time, terraform contains secrets in it's state file anyways. Instead of putting them in the repo and the loading them with "${file("./secret")}" why not import them directly into the state file?

When using a remote state file, the state is automatically distributed with the new secret which makes key rotation easier.

This is only a better solution than storing secrets in Git. Look at adopting Hashicorp Vault in the longer term.


  • Terraform 0.10.x
  • Go 1.8 (to build the provider plugin)

How to install

Using pre-built binary

  1. Download the binary from the project releases page
  2. Extract provider binary from tar file.
  3. Copy to $PATH or the ~/.terraform.d/plugins directory so Terraform can find it.

Building from source

  1. Follow these instructions to setup a Golang development environment.
  2. Use go get to pull down this repository and compile the binary:
go get -u -v

Using Nix

If you are lucky enough to use Nix, it's already part of the full terraform distribution:

nix-env -iA nixpkgs.terraform-full

Building The Provider

Clone repository to: $GOPATH/src/

$ git clone $GOPATH/src/

Enter the provider directory and build the provider

$ cd $GOPATH/src/
$ make build

Using the provider



  • value, string: Returns the value of the secret


Here we declare a new resource that will contain the secret.

resource "secret_resource" "datadog_api_key" {
  lifecycle {
    # avoid accidentally loosing the secret
    prevent_destroy = true

To populate the secret, run

terraform import secret_resourc.datadog_api_key TOKEN

where TOKEN is the value of the token.

Once imported, the secret can be accessed using secret_resourc.datadog_api_key.value

Rotating secrets

terraform state rm secret_resource.datadog_api_key
terraform import secret_resourc.datadog_api_key NEW_TOKEN

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make bin
$ $GOPATH/bin/terraform-provider-secret

In order to test the provider, you can simply run make test.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

$ make testacc


This work is licensed under the Mozilla Public License 2.0. See LICENSE for more details.


This work has been sponsored by Digital Asset and Tweag I/O.

Digital Asset Tweag I/O

This repository is maintained by Tweag I/O

Have questions? Need help? Tweet at @tweagio.

You can’t perform that action at this time.