Home » Secrets at rest – Securing OpenStack laC Environment Variables

Secrets at rest – Securing OpenStack laC Environment Variables

Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.[1] The IT infrastructure managed by this process comprises both physical equipment, such as bare-metal servers, as well as virtual machines, and associated configuration resources. IaC offers benefits including faster time to production and market; improved consistency; efficient and more innovative development; and lower costs.

In this short technical article, we will discuss how to secure Terraform environment variable secrets at rest.


Terraform is an open-source infrastructure as code software tool created by HashiCorp. Users define and provide data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL), or optionally JSON.[3]


Terraform manages external resources (such as public cloud infrastructure, private cloud infrastructure, network appliances, software as a service, and platform as a service).


Terraform is a great tool for automating your infrastructure. We have been using it recently to capture some OpenStack infrastructure as code (IaC). I am reading through the 2nd edition of Terraform: Up & Running by Yevgeniy Brikman. I just finished reading chapter 3 which is about managing your Terraform state. One of the sidebars was about secrets.

One of the best practices with IaC is to make sure your secrets never wind up in your source repositories. Terraform has the ability to accept environment variables as parameters which would certainly make life easier if we put them in our shell startup script. But how can we set up environment variables as Terraform parameters without storing our passwords in plain text in say .zshrc or in our shell history? A solution proposed in chapter 3 is to use a tool like http://passwordstore.org to secure your secrets at rest.

For this solution, you will need a GPG key, the password manager from http://passwordstore.org. You will modify your .zshrc to invoke new environment variables and modify your .tf files to use those variables.

If you need a gpg key run this command and follow the prompts:

gpg –full-generate-key

Choose RSA + RSA, use key size 4096, set the key expiry and enter your details.

You will get some output that looks like this:

gpg: key 866F4C51D21B52CA marked as ultimately trusted

gpg: directory ‘/Users/neilderraugh/.gnupg/openpgp-revocs.d’ created

gpg: revocation certificate stored as ‘/Users/neilderraugh/.gnupg/openpgp-revocs.d/9BCFAF34DC248F0C3BF998A03FC9BC700DD0A19A.rev’

Next step install pass: the standard unix password manager. Note that you’ll need the key id (866F4C51D21B52CA)from the previous step.

brew install pass


pass init “866F4C51D21B52CA”


pass insert openstack_password “some password”

Add the Terraform environment variables you want to your .zshrc:

export TF_VAR_openstack_password=$(pass openstack_password)

export TF_VAR_openstack_user_name=service_account_user

export TF_VAR_openstack_auth_url=http://some_url:5000/v3

export TF_VAR_openstack_tenant_id=some_id

And then modify your var.tf to leverage those new environment variables including the secrets:

variable “openstack_user_name” {




variable “openstack_password” {




variable “openstack_auth_url” {




variable “openstack_tenant_id” {



Your main.tf will look something like this:

provider “openstack” {

  user_name   = var.openstack_user_name

  tenant_name = var.openstack_user_name

  password    = var.openstack_password

  auth_url    = var.openstack_auth_url

  tenant_id   = var.openstack_tenant_id

  region      = “RegionOne”



We hope you found this technical article useful.