Using git hooks to remove sensitive data from Terraform

If you are using Terraform as much as i do then you will notice that when you are creating new IAM users Terraform will store that user secrete key into the tfstate.

This is very useful if you want to keep the tfstate as the source of truth for keys (no judging) but if you are in a share environment that many people have access to that information, you might want to avoid leaking the keys into the tfstate.

This is a manual process of trying to remove the secretes from the huge json tfstate, a process that many times can be forgotten and a secrete can be “leaked”.

For this i made a simple git hook to look and warn if and when a secrete if detected in the git history of the commit.

Source: Gist

Alexandros Sapranidis

Software engineer, keen on wearing many hat, current Senior Software Engineer @Elastic cloud

Athens, Greece http://sapranidis.gr