Secrets in IaC (avoid leaks)

Prevent secret leaks: avoid plaintext in state, use secret backends, and enforce scanning and redaction.

On this page

Core Rule

Never store secrets in plaintext in IaC files or state.
Assume plans, logs, and state can be read by more people than you expect.

Approved Patterns

Reference secrets by ID/path (vault key, secret manager ARN, Kubernetes Secret name)
Inject secrets at runtime via secret backends
Redact outputs; avoid printing sensitive values in CI logs

Runbook: Secret Leak Suspected

Revoke/rotate secret immediately
Search CI logs, artifacts, state history for exposure
Invalidate derived credentials (tokens, sessions)
Patch pipeline to prevent recurrence (redaction + policy checks)

Example: Safe Reference Pattern

# Instead of embedding secret value:
# password = <secret>

# Use reference:
secret_ref = "vault://team/app/db_password"
runtime_inject = true

← Drift Detection and Repair

Review Workflows and Change Control →