Skip to content

Environment secrets and variables


We recommend you separate your environment secrets from other typical environment variables. You can use AWS Secrets Manager and AWS Parameter Store to store environment secrets and variables. It is common to store values that belong together in the same place. For example storing both a client_id and client_secret in the same location to make it easier to manage.

Environment secrets

Environment secrets are sensitive information that should not be stored in plain text. Examples of environment secrets include:

  • Database credentials
  • API keys
  • Environment specific secrets

Environment secrets are stored in AWS Secrets Manager. You can refer to these in your Terraform configuration using the aws_secretsmanager_secret_version resource. This resource will automatically fetch the secret value from AWS Secrets Manager. The secret is stored in the secret_string attribute.

resource "aws_secretsmanager_secret" "my_secret" {
  name = "my_secret"

Automatic rotation

Secrets in AWS Secrets Manager can be configured to automatically rotate. This is done by setting the rotation_enabled attribute to true. rotation_lambda_arn specifies the ARN of the Lambda function that will be used to rotate the secret. The Lambda function must have the secretsmanager:RotateSecret permission.

Environment variables

Environment variables are non-sensitive information that is used to configure your application. Examples of environment variables include:

  • Database connection strings
  • API URLs
  • Environment specific configuration
  • Environment specific variables
  • Environment specific settings
  • Environment specific flags

Environment variables are stored in AWS Parameter Store. They are referenced in your Terraform configuration using the aws_ssm_parameter resource. This resource will automatically fetch the parameter value from AWS Parameter Store. The variable is stored it in the value attribute.

resource "aws_ssm_parameter" "my_parameter" {
  name = "my_parameter"
  type = "String"
  value = "my_value"
  description = "My parameter"