Infrastructure Secrets with Terraform

NetActuate Secrets Manager lets you store sensitive configuration values that can be referenced during VM provisioning. With the Terraform provider v2, you can manage secret lists and values as infrastructure code and inject them into VMs via cloud-init.

What You Will Build

By the end of this guide you will have:

A secret list managed in Terraform
Secret values for database credentials and API tokens
A VM resource with cloud-init configuration that references those secrets at build time

Prerequisites

Terraform 1.0+ installed
NetActuate Terraform provider v0.2.5+ configured
A NetActuate account with API access
Familiarity with cloud-init basics — see Building VMs with Cloud-Init

Step 1: Create a Secret List

Define a secret list resource in your Terraform configuration:

resource "netactuate_secret_list" "app_secrets" {
  name = "production-app"
}

Secret list names must be unique within your account. Use descriptive names that identify the application or environment.

Step 2: Add Secret Values

Add individual secret values to the list. Each value has a key and a sensitive value:

resource "netactuate_secret_list_value" "db_password" {
  secret_list_id = netactuate_secret_list.app_secrets.id
  secret_key     = "DB_PASSWORD"
  secret_value   = var.db_password
}

resource "netactuate_secret_list_value" "api_token" {
  secret_list_id = netactuate_secret_list.app_secrets.id
  secret_key     = "API_TOKEN"
  secret_value   = var.api_token
}

Pass sensitive values through variables rather than hardcoding them:

variable "db_password" {
  type      = string
  sensitive = true
}

variable "api_token" {
  type      = string
  sensitive = true
}

Supply values via a .tfvars file, environment variables, or your CI/CD pipeline's secret store.

Note: Secret keys must be unique across all secret lists in your account.

Step 3: Reference Secrets in Cloud-Init

Create a VM resource with a cloud-init configuration that references your secrets using the ${{secret.KEY}} syntax:

resource "netactuate_server" "app" {
  hostname = "app01.example.com"
  plan     = "SSD.2GB"
  location = "SJC"
  image    = "Ubuntu 24.04 LTS"

  cloud_config = <<-YAML
    #cloud-config
    write_files:
      - path: /etc/app/config.env
        permissions: '0600'
        content: |
          DB_PASSWORD=${{secret.DB_PASSWORD}}
          API_TOKEN=${{secret.API_TOKEN}}

    runcmd:
      - systemctl restart myapp
  YAML
}

The platform resolves secret references at build time. The actual values never appear in your Terraform state or in the cloud-init YAML stored on disk. Only the template syntax is stored — NetActuate substitutes the real values on its infrastructure before delivering the script to the hypervisor.

Terraform State Security

Even though secret values are resolved server-side and not stored in Terraform state as plaintext, follow these practices for production use:

Mark all secret variables as sensitive = true in your variable definitions
Use remote state with encryption enabled (S3 + KMS, Terraform Cloud, etc.)
Never commit .tfstate files to version control
Add *.tfstate and *.tfstate.backup to your .gitignore
terraform output will not display sensitive values — use the API or portal to verify secrets

Updating Secrets

To update a secret value, change the secret_value argument and run terraform apply. Terraform updates the value in Secrets Manager.

VMs that were built using the previous secret value are not automatically updated. The ${{secret.KEY}} syntax is resolved once at build time. Only new VM builds or rebuilds will pick up the changed value. If you need to rotate credentials on running VMs, use a configuration management tool like Ansible after updating the secret.

Deleting Secrets

When you remove a secret resource from your Terraform configuration, terraform apply deletes it from Secrets Manager. Before deleting a secret:

Verify no active VMs depend on the secret value at runtime
Confirm no pending builds reference the secret key
Consider rotating the credential on running VMs before removal

Example Repository

A complete working example is available at:

https://github.com/netactuate/netactuate-terraform-secrets

The repository includes secret list creation, value management, and VM provisioning with cloud-init references.

Need Help?

If you need assistance, visit our support page.

What You Will Build​

Prerequisites​

Step 1: Create a Secret List​

Step 2: Add Secret Values​

Step 3: Reference Secrets in Cloud-Init​

Terraform State Security​

Updating Secrets​

Deleting Secrets​

Example Repository​

Related Resources​

Need Help?​