What's the recommended way to handle secrets creation? IAC or manually?

[umm0n]

Hey everyone! Does gruntworks have an official recommendation for how to handle secrets creation in AWS? We understand that, due to the nature of secrets, it might not be feasible to use IAC for this. Should secrets be one of the few things we create manually?

[gruntwork-discussions]

You must label this issue with at least one of the following labels before it can be answered:

• r:terraform-aws-service-catalog
• r:terraform-aws-vpc
• r:terraform-aws-architecture-catalog
• r:terraform-aws-asg
• r:terraform-aws-beanstalk
• r:terraform-aws-cache
• r:terraform-aws-ci
• r:terraform-aws-ci-pipeline-example
• r:terraform-aws-cis-service-catalog
• r:terraform-aws-data-storage
• r:terraform-aws-ecs
• r:terraform-aws-eks
• r:terraform-aws-elk
• r:terraform-aws-kafka
• r:terraform-aws-lambda
• r:terraform-aws-load-balancer
• r:terraform-aws-messaging
• r:terraform-aws-mongodb
• r:terraform-aws-monitoring
• r:terraform-aws-openvpn
• r:terraform-aws-sam
• r:terraform-aws-security
• r:terraform-aws-server
• r:terraform-aws-static-assets
• r:terraform-aws-zookeeper
• r:terragrunt
• r:terratest
• r:repo-copier

Community Guidelines
Getting help
Gruntwork documentation

[umm0n]

I don't seem to be able to edit labels.

[brikis98]

You're not able to add labels on the right side of the page (see screenshot below)?

[umm0n]

Nope:

[infraredgirl]

Currently we recommend managing and creating secrets in AWS Secrets Manager using either the aws CLI, or the web console. This is the safest way to ensure that the secrets won't leak in an unexpected location, such as the terraform state file, or your local code.

Credit for answering this question goes to @yorinasub17.

[umm0n]

We suspected as much but it's nice to have a confirmation. Thanks!