Write secrets

Before writing secrets, make sure you have created a repo, either in your shared organization workspace or in your personal workspace.

In the examples throughout this guide, we’re using the your-username/start as the repo name. Make sure to change that with yours.

To create a secret, you can use the secrethub_secret resource. You can specify a value directly or you can auto-generate a value:

resource "secrethub_secret" "db_password" {
  path = "your-username/start/db-password"

  generate {
    length      = 22
    use_symbols = true
  }
}

resource "secrethub_secret" "db_user" {
  path  = "your-username/start/db-user"
  value = "mydbuser"
}

Run terraform apply and your secrets are now on SecretHub! You can use them now to create other resources:

resource "heroku_app" "your_app" {
  name   = "your-app"
  region = "us"
  
  sensitive_config_vars {
    DB_PASSWORD = "${secrethub_secret.db_password.value}"
    DB_USER     = "${secrethub_secret.db_user.value}"
  }
}

Or, for the purposes of this tutorial, just print their values:

output "db_password" {
  value = "${secrethub_secret.db_password.value}"
}

output "db_user" {
  value = "${secrethub_secret.db_user.value}"
}

Now, let’s say the requirements for your password strength change: the password needs to be at least 28 characters long. You can simply change the length field and Terraform will automatically generate a new password for you and propagate it to where it’s used throughout your project:

resource "secrethub_secret" "db_password" {
  path = "your-username/start/db-password"

  generate {
    length = 28
  }
}

You can also manually tell Terraform to generate a new value for the secret, by using the taint command:

terraform taint secrethub_secret.db_password && terraform apply

Path redundancy

To avoid redundancy in secret paths throughout your secret resources, you can specify a path_prefix on the provider, which will be applied to every secret configured using that provider:

provider "secrethub" {
  path_prefix = "your-username/start"
}

resource "secrethub_secret" "db_password" {
  path = "db-password"

  generate {
    length      = 22
    use_symbols = true
  }
}

resource "secrethub_secret" "db_user" {
  path  = "db-user"
  value = "mydbuser"
}

This can be overridden per individual resource:

resource "secrethub_secret" "other_db_password" {
  path_prefix = "your-username/some-other-repo" 
  path        = "db-password"

  generate {
    length = 16
  }
}

Alternatively, you can configure a second provider and give that a different path prefix.