Andi Ashari

Tech Voyager & Digital Visionary

Securing Credentials in Terraform with GCP Secret Manager and Random Passwords

Securing Credentials in Terraform with GCP Secret Manager and Random Passwords

Managing sensitive information such as passwords and credentials securely is paramount. This guide will show you how to generate and manage credentials securely using Terraform on Google Cloud Platform (GCP), specifically leveraging the Secret Manager service. We’ll use Terraform’s random_password resource to create secure passwords and detail how to store these credentials safely in GCP Secret Manager.

Generating Secure Passwords with random_password

Terraform’s random_password resource is designed for creating secure passwords, treating the output as sensitive to prevent it from being displayed in the console. Here’s a basic example:

resource "random_password" "db_password" {
  length  = 16
  special = true
}

This snippet generates a 16-character password including special characters. The password is treated as sensitive, ensuring it is not exposed in Terraform outputs or logs.

Handling Sensitive Data in Terraform State

Sensitive data in Terraform state requires careful handling:

  • Treat Terraform state as sensitive: Especially when using local state, as it’s stored in plain-text JSON files.
  • Store state remotely: For enhanced security, leverage backends that offer encryption at rest.
  • Use encrypted backends: Platforms like Terraform Cloud provide state encryption, TLS-protected transit, and a historical record of state changes.

Secure Credential Storage with GCP Secret Manager

To securely store the generated password, we use GCP Secret Manager with the google_secret_manager_secret_version resource:

resource "google_secret_manager_secret" "database_credentials" {
  secret_id = "database-credentials"
}

resource "google_secret_manager_secret_version" "db_password_version" {
  secret      = google_secret_manager_secret.database_credentials.id
  secret_data = random_password.db_password.result
}

In this example, we create a secret named database-credentials in GCP Secret Manager and add a secret version containing the generated password.

Usage Example with Google Cloud SQL

Let’s integrate the securely stored credentials with a Google Cloud SQL instance:

resource "google_sql_database_instance" "example_instance" {
  // Instance configuration...
  database_version = "MYSQL_5_7"
}

resource "google_sql_database" "example_db" {
  instance = google_sql_database_instance.example_instance.name
  name     = "exampledb"
}

resource "google_sql_user" "example_db_user" {
  instance   = google_sql_database_instance.example_instance.name
  name       = "db_user"
  password   = google_secret_manager_secret_version.db_password_version.secret_data
  depends_on = [google_secret_manager_secret_version.db_password_version]
}

This configuration creates a Google Cloud SQL instance, a database, and a user. The user’s password is securely fetched from GCP Secret Manager, maintaining the security of sensitive information throughout the process.

By utilizing Terraform’s random_password resource in conjunction with GCP Secret Manager, you can effectively secure the generation and management of credentials for your infrastructure. This method provides a strong, secure foundation for deploying cloud infrastructure on the Google Cloud Platform, safeguarding against the risks associated with managing sensitive information.