Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use environment variables for secrets in Terraform

Tags:

terraform

terraform-provider-aws

I am trying to configure Terraform so it uses environment variables for AWS Secrets.

terraform.tfvars:

access_key = "${var.TF_VAR_AWS_AK}"
secret_key = "${var.TF_VAR_AWS_SK}"
aws_region = "eu-north-1"

main.tf:

provider "aws" {
  region     = "${var.aws_region}"
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
}

In console(it's on Windows 10):

set TF_VAR_AWS_AK = asd12345asd12345
set TF_VAR_AWS_SK = asd12345asd12345
terraform plan

Error messages:

Error: Variables not allowed
  on terraform.tfvars line 1:
   1: access_key = "${var.TF_VAR_AWS_AK}"
Variables may not be used here.

Error: Variables not allowed
  on terraform.tfvars line 2:
  2: secret_key = "${var.TF_VAR_AWS_SK}"
Variables may not be used here.

Not sure where the problem is. TF docs say it is possible to use env vars for secrets.

like image 696
robliv Avatar asked Sep 06 '25 03:09

robliv

2 Answers

To configure providers and backends with environment variables, you don't need to write anything special in the configuration at all. Instead, you can just set the conventional environment variables related to the provider in question.

For example, you seem to be using AWS in which case you can use either the AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY environment variables or you can populate a credentials file, the same as for the AWS SDK. You can then skip all of the declaration of variables and just reduce your provider block as follows:

provider "aws" {
  region = "${var.aws_region}"
}

Terraform's AWS provider supports the same set of credentials sources that the AWS CLI does without any Terraform-specific configuration. That is the recommended way to configure credentials for the AWS provider, because then you only need to set up your AWS credentials once and you can use both AWS SDK, Terraform, and any other software that interacts with AWS and supports its conventions.

There's more information on the AWS provider authentication options in the AWS provider documentation.

like image 57
Martin Atkins Avatar answered Sep 09 '25 00:09

Martin Atkins

As described here in the documentation : https://www.terraform.io/docs/configuration/variables.html#environment-variables

The environment variable names must be TF_VAR_<yourtfvariablename>.

With a terraform variable like this :

variable "aws_region" {
  type = string
}

Your environment variable name must be TF_VARS_aws_region

There is actually no way to use environment variables directly in terraform. (ex: region = env.AWS_REGION) you must use TF_VAR to use env vars.

like image 39
Martin Paucot Avatar answered Sep 09 '25 00:09

Martin Paucot
Sign in to Comment

Related questions

terraform apply reporting backend configuration error with S3 after terraform init & terraform plan worked successfully
Terraform: Cross project referencing not allowed
source_dest_check in aws_launch_configuration in terraform
Terragrunt doesn't get outputs from a imported source
Is for_each the only way to retrieve values from a Terraform set?
How in terraform dynamodb specify composite primary key (hashkey)
.Gitignore file for Terraform
Terraform destroy not working for DB instances in AWS
Terraform refer to locals in another directory

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!