...
For things like a database URL, we use a Lambda rotation function which creates a new password in the database each month and then updates the secret. (For example, see thoughtbot/terraform-aws-databases/rds-postgres/admin-login)
For things like the Rails secret base, we generate a random one in Terraform and populate it there.
Code Block resource "random_password" "secret_key_base" { length = 32 special = false } module "rails_secret" { source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0" description = "Secrets for the Rails application" name = "example-app-secret" initial_value = jsonencode({ SECRET_KEY_BASE = random_password.secret_key_base.result }) }
For external tokens that we can't control, we create an empty secret in Terraform (using thoughtbot/terraform-aws-secrets/secret as source) and populate it by hand in AWS Management Console.
Code Block module "prismic_secret" { source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0" description = "Secrets for accessing the Prismic API" name = "example-prismic" initial_value = jsonencode({ # Fill this in using the SecretsManager UI or CLI PRISMIC_ACCESS_TOKEN = "" }) }
Once you’ve safely stored your secret using Secrets Manager, you can add secrets to pods as environment variables or files.