# Terraform Password Protection of AWS, GCP, and Azure resources

**Problem Statement**

Nowadays DevOps guys use terraform quite a lot for creating resources in **AWS, GCP, or AZURE** cloud platforms. But while maintaining terraform versioning they use various Version Control Systems like **git, bitbucket** and while pushing the code they do commit the passwords in plaintext which are required to create resources like **AWS RDS, documentDB**, etc.


![Screenshot 2022-02-27 at 10.12.01 AM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645936926406/vb4ZYE7-t.png)

So to protect our sensitive information like plaintext passwords which in our case is “password” we can do a few changes in our terraform code to get rid of this problem without using any 3rd party tools.

**Resolution**

Here Let’s take an example of creating AWS RDS as a resource from terraform. Create a directory “sensitive-information” to store your password file separately.

**mkdir sensitive-information**

**cd sensitive-information**

Create a JSON file to store your password

**echo “{ \”password\”: \”ourpassword\” }” >> sensitive-information/rds_pass.json**

Not we will use the **data** module of **terraform** to read the AWS RDS password from the JSON file.


![Screenshot 2022-02-27 at 10.14.42 AM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645937086545/S5_N1aiky.png)

Now we are almost done just passing this data as a password in the **aws_db_instance** resource.


![Screenshot 2022-02-27 at 10.15.24 AM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645937129669/Gv2-rrKAG.png)

or if we have set up the module-wise architecture of terraform we can also add this to the main directory from where you are calling this **aws_db_instance** resource a module.

![Screenshot 2022-02-27 at 10.16.17 AM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645937182393/NPDXyD-X-.png)

Now we are good to go just encrypt the **rds_pass.json** and you will get **rds_pass.json.gpg**


```
gpg -o sensitive-information/rds_pass.json.gpg \ — batch \ — symmetric \ — openpgp \ — cipher-algo AES256 \ — s2k-cipher-algo AES256 \ — s2k-digest-algo SHA512 \ — s2k-mode 3 \ — s2k-count 65011712 \ — armor \ — emit-version \ sensitive-information/rds_pass.json
```

Now you can add **rds_pass.json **in your **.gitignore** and push the changes in git only **rds_pass.json.gpg** file will be committed later you can use that file to decrypt your passwords.



**Note**

*I hope this article will help you to protect your passwords from exposure, these issues are being faced by the company who are in their beginning phase to starting with terraform and got into securities issues of exposing passwords or any other sensitive information.*

