Secret management with terraform cdk

Question

In the past I've used Pulumi which offers a secrets management solution that allows stack based secrets to be checked into git while being encrypted.

I've been looking for a similar solution with Terraform CDK and haven't found one. Does Terraform CDK offer a similar solution so that I don't have to expose my stack based secrets (like mongoPassword in the Pulumi example above)?

Answer 1

Unlike Pulumi, all secrets in terraform are stored in your state in plaintext. There’s an issue that’s been open for 8 years (at the time of writing this answer): https://github.com/hashicorp/terraform/issues/516

There’s also a Gruntworks post on best practice, which specifically states that the secrets aren’t encrypted: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1 (relevant bit about the state is here: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1#c49b)