Scribd
Upload
12 views

Secure Terraform Directory Structure

Uploaded by

amorrabie23
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

Secure Terraform Directory Structure

Uploaded by

amorrabie23
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Secure Terraform Directory Structure

(31/07/2024 )
Example Terraform Directory Structure

├── modules
│ ├── vpc
│ │ ├── main.tf

│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf

│ ├── ec2
│ │ ├── main.tf
│ │ ├── outputs.tf

│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── rds

│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf

│ │ └── versions.tf
│ └── s3
│ ├── main.tf

│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf

├── environments
│ ├── dev
│ │ ├── main.tf

│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars

│ ├── prod
│ │ ├── main.tf
│ │ ├── outputs.tf

│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ └── staging

│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── terraform.tfvars

├── scripts
│ └── init-backend.sh
├── .gitignore

├── backend.tf
├── main.tf
├── outputs.tf

├── providers.tf
├── terraform.tfvars
└── variables.tf

Security Best Practices


1. Separate Modules:
Create separate modules for different resources like
VPC, EC2, RDS, and S3. This helps in managing and
reusing the code efficiently.

2. Environment Separation:
Maintain separate directories for different
environments (dev, prod, staging). This allows for
isolated configurations and reduces the risk of
accidental changes to the production environment.

3. State File Security:


Configure a remote backend for state files (e.g., AWS
S3 with encryption and versioning). This ensures that
the state files are stored securely and are protected
against accidental or malicious changes.

Sensitive Data Management:


Use the `terraform.tfvars` file to manage
environment-specific variables, and keep sensitive
data (like passwords, keys) in a secure secrets
management system (e.g., AWS Secrets Manager,
HashiCorp Vault). Avoid hardcoding sensitive data
directly in your `.tf` files.

5. Version Control:

Use version constraints (`versions.tf`) for your


providers and modules to avoid unexpected changes
and ensure compatibility.
6. Access Control:

Implement IAM policies and roles to control who can


apply changes to the Terraform infrastructure. Use
least privilege principles to minimize the risk of
unauthorized access.

7. Code Quality and Security Checks:

Integrate Terraform code linting and security


scanning tools (e.g., `tflint`, `tfsec`) in your CI/CD
pipeline to automatically detect and fix potential
issues.

Example of Sensitive Data Management


`variables.tf`
```hcl

variable "db_password" {
description = "The password for the RDS instance"
type = string

sensitive = true
}
```

`terraform.tfvars` (Not included in version control)


```hcl
db_password = "example_password"

```

Using AWS Secrets Manager

data "aws_secretsmanager_secret_version"
"db_password" {
secret_id = "arn:aws:secretsmanager:us-west-
2:123456789012:secret:mysecret"
}
variable "db_password" {

description = "The password for the RDS instance"


type = string
}

resource "aws_db_instance" "default" {


identifier = "my-db"
engine = "mysql"
password =
data.aws_secretsmanager_secret_version.db_password.
secret_string
}
`.gitignore`

Terraform state files


*.tfstate
*.tfstate.*

Terraform crash log files


crash.log

Ignore terraform.tfvars files


terraform.tfvars
.terraform directory

.terraform/
Secrets directory (if any)
secrets/

By organizing your Terraform project in this way and


following these best practices, you can help ensure
that your infrastructure is secure, manageable, and
scalable.

You might also like