Secrets and Variables

Terrateam offers multiple ways to manage sensitive information and customize your Terraform configurations using GitHub secrets, variables, or .tfvars files. All methods produce the same outcome, allowing you to choose the approach that best fits your workflow and needs for managing Terraform variables.

GitHub Secrets and Variables

Environment Variables

GitHub Secrets and Variables can be used to set environment variables. They are translated into environment variables in the Terrateam GitHub Action runtime environment. These environment variables may be referenced in your Terraform code.

Defining a GitHub Secret

You can use the GitHub CLI or the web interface to define a GitHub secret.

Using GitHub CLI

1. Open your terminal.

2. Run the following command to create a secret named AWS_ACCESS_KEY_ID:

   gh secret set AWS_ACCESS_KEY_ID --body "AKIAIOSFODNN7EXAMPLE"

Using GitHub Web Interface

1. Access the repository with the Terrateam app installed.
2. Navigate to Settings → Secrets and variables → Actions.
3. Click on New repository secret.
4. Specify the Name (AWS_ACCESS_KEY_ID) and a Secret value (AKIAIOSFODNN7EXAMPLE).
5. Click Add secret.

Using GitHub Secrets in Terraform

Secrets and variables that start with TF_VAR_ are treated specially by Terrateam.

GitHub secrets and variables are always uppercase, however by convention Terraform variables are lowercase. Terrateam automatically finds all secrets that start with TF_VAR_ and creates a new environment variable that has the lowercase name. If the lowercase name exists, no action is taken. The uppercase environment variable is left unchanged. For example, the secret TF_VAR_LOGIN_TOKEN will create a new environment variable called TF_VAR_login_token.

This will create an environment variable TF_VAR_database_password which Terraform can automatically map to a variable named database_password in your Terraform configuration.

variable "database_password" {
  description = "Password for database connection"
  type        = string
  sensitive   = true
}

resource "aws_db_instance" "example" {
  # Other configuration...
  password = var.database_password
}

Security

GitHub secrets are stored encrypted at rest using a libsodium sealed box and are only decrypted when used in GitHub Actions workflows.

When Terrateam runs your Terraform operations:

1. Encrypted secrets are decrypted within the GitHub Actions runtime.
2. Decrypted secrets are made available as environment variables within the GitHub Actions runner.

Your data is protected

Terrateam does not store unencrypted secrets on its servers. Secrets are decrypted only within the GitHub Actions runtime and are treated as sensitive environment variables.

To prevent accidental exposure, secrets are automatically masked in logs and comments, including when Terraform output is posted back to pull requests.

The Terraform plan files, which may contain sensitive data such as decrypted secrets, are stored temporarily during the plan and apply phases, then immediately deleted.

For more details on how we handle sensitive data, visit our Security page.

Hooks and Workflows

Terrateam also allows you to set environment variables using Hooks and Workflows.

Hooks

You can set an environment variable at the very start of a Terrateam operation using Hooks.

hooks:
  plan:
    pre:
      - type: env
        name: FOO
        cmd: ['echo', 'BAR']
  apply:
    pre:
      - type: env
        name: BAZ
        cmd: ['echo', 'QUX']

The following code snippet shows how to set a dynamic environment variable based on the current Git branch:

hooks:
  plan:
    pre:
      - type: env
        name: CURRENT_GIT_BRANCH
        cmd: ['bash', '-c', 'echo $(git rev-parse --abbrev-ref HEAD)']

Workflows

You can also set an environment variable at the start of each Plan and Apply operation.

workflows:
  - tag_query: ""
    plan:
      - type: init
      - type: env
        name: FOO
        cmd: ["echo", "BAR"]
      - type: plan
    apply:
      - type: init
      - type: env
        name: FOO
        cmd: ["echo", "BAR"]
      - type: apply

.tfvars Files

Terraform allows you to define variables in .tfvars files, which can be used to customize your Terraform configurations.

To use a .tfvars file with Terrateam, you can specify the file path in your workflow configuration using the extra_args option.

workflows:
  - tag_query: ""
    plan:
      - type: init
      - type: plan
        extra_args: ["-var-file=qa.tfvars"]
    apply:
      - type: init
      - type: apply

The following code snippet shows an example of a .tfvars file:

qa.tfvars

region        = "us-west-2"
instance_type = "t3.micro"
vpc_cidr      = "10.0.0.0/16"
environment   = "qa"

In this example, the qa.tfvars file will be used during the plan step, providing environment-specific variable values to your Terraform configuration.