Skip to content

TFVARS

Best Practices for Using Terraform with Vault (hashicorp.com)

Using HashiCorp Vault with Terraform to manage your secrets and sensitive data in a production environment:

  • HashiCorp tools are modular and integrate well to produce elegant DevOps workflows that span security, provisioning, networking, and development.
  • You can use Terraform to spin up a recommended HashiCorp Vault architecture and then have Vault feed secrets into the Terraform provisioning workflow.
  • This allows you to easily harness dynamic secrets and never publish any plaintext secrets into configuration files or version control while provisioning infrastructure.
  • Using dynamic secrets means that no long-lived secrets live in your Terraform configuration files, so if a malicious actor finds your Terraform state file or you accidentally publish it to GitHub, those credentials are useless in a few hours or minutes if your setup cycles secrets quickly.
  • You can also codify the Vault configuration tasks such as the creation of policies using Terraform, which allows operators to increase their productivity, move quicker, promote repeatable processes, and reduce human error.

tfvars and .auto.tfvars

When running Terraform in automation, some users have their automation generate a terraform.tfvars file or .auto.tfvars file just before running Terraform in order to pass in values the automation knows, such as what environment the automation is running for, etc. Because terraform.tfvars and .auto.tfvars are automatically loaded without any additional options, they behave similarly to defaults, but the intent of these is different.

Example

dev.auto.tfvars will also load automatically. Terraform can automatically load variable definitions from files named exactly terraform.tfvars or terraform.tfvars.json, as well as any files with names ending in .auto.tfvars or .auto.tfvars.json. So, if you have a file named dev.auto.tfvars, Terraform will automatically load the variable definitions from that file without any additional options. This can be a convenient way to manage different sets of variables for different environments or use cases.