secretzero terraform¶
Generate Terraform manifests from a Secretfile.
Synopsis¶
Description¶
The terraform command translates your SecretZero Secretfile.yml into a
Terraform configuration. It uses bundle-provided Terraform metadata to
declare providers and maps supported generators/targets to Terraform
resources (for example AWS SSM Parameters and Secrets Manager secrets).
Generated configuration can be written as HCL2 (.tf) or Terraform JSON
(.tf.json) and then used with standard Terraform workflows (terraform init,
terraform plan, terraform apply).
Options¶
| Option | Type | Default | Description |
|---|---|---|---|
--file, -f |
path | Secretfile.yml |
Path to Secretfile |
--var-file, -v |
path (repeatable) | – | .szvar variable file(s) to merge before export |
--output-dir, -o |
path | terraform-out |
Directory to write generated Terraform files |
--format |
choice | hcl |
Terraform output format: hcl or json |
--include-static-secrets/--no-include-static-secrets |
flag | --no-include-static-secrets |
Whether to include default values for static-secret Terraform variables (not recommended for production) |
--dry-run |
flag | false |
Show a summary of what would be generated without writing files |
Supported mappings (initial)¶
The first version of secretzero terraform focuses on common patterns:
- Generators
random_password→random_passwordresource (hashicorp/random)random_string→random_stringresource (hashicorp/random)static(and static-like bundle kinds) → sensitive Terraform variables- Targets
provider: aws,kind: ssm_parameter→aws_ssm_parameterprovider: aws,kind: secrets_manager→aws_secretsmanager_secret+aws_secretsmanager_secret_versionprovider: azure,kind: azure_keyvault/key_vault→azurerm_key_vault_secret(requiresazure_key_vault_idvariable)provider: vault,kind: vault_kv/kv→vault_kv_secret_v2
Bundles that declare a terraform_provider field on their BundleManifest
automatically contribute required_providers entries and provider blocks.
Targets and generators without an explicit mapping are currently skipped; they must be modeled manually in Terraform if needed.
Examples¶
1. Dry run (no files written)¶
Example output:
Terraform generation plan (dry run)
Secrets: 3
Providers: 2
Resources: 5
Required providers:
• aws (source: hashicorp/aws) (version: ~> 5.0)
• random (source: hashicorp/random) (version: ~> 3.0)
Use --format hcl|json and remove --dry-run to write Terraform files.
2. Generate HCL (.tf) configuration¶
This writes terraform/main.tf containing:
terraform.required_providersblockproviderblocks for bundles that declareterraform_providerresourceblocks for supported generators/targets
You can then run:
3. Generate Terraform JSON (.tf.json)¶
This writes terraform-json/main.tf.json with a JSON representation of
the same configuration, suitable for tooling that prefers JSON.
Security considerations¶
- Static secrets: Terraform export now always creates sensitive input
variables for static/static-like secrets. By default, these variables have
no
defaultvalue, so plaintext is not embedded in generated files. Enabling--include-static-secretsadds static defaults to those variables, which may embed sensitive values directly into version-controlled Terraform files and state; use with caution. - State files: Secrets stored via Terraform-managed resources will typically appear in Terraform state. Use remote, encrypted state backends and restrict access appropriately.
- Partial coverage: Not all SecretZero generators/targets have Terraform equivalents. Review generated configuration and complement it with hand-written Terraform as needed.