Deploy Secrets with Terraform
A secret stores an encrypted value that you can mount as an environment variable in one or more containers. Secrets are encrypted at rest and only decrypted at deploy time inside the target region.
Updated 23 Jun 20261 min read
A secret stores an encrypted value that you can mount as an environment variable in one or more containers. Secrets are encrypted at rest and only decrypted at deploy time inside the target region.
Required fields
| Field | Type | Description |
|---|---|---|
handle | string | A unique identifier. Released on delete (reusable). |
name | string | A display name. |
value | string | The secret value. Marked sensitive. |
Example
resource "bahriya_secret" "db_password" {
handle = "db-password"
name = "Database Password"
value = var.db_password
}
variable "db_password" {
type = string
sensitive = true
}Using a secret in a container
Reference the secret by handle in a secretsenvvar block. The name field is the environment variable name your application sees:
resource "bahriya_container" "api" {
# ... other required fields ...
secretsenvvar {
secret = bahriya_secret.db_password.handle
name = "DATABASE_PASSWORD"
}
secretsenvvar {
secret = bahriya_secret.api_key.handle
name = "API_KEY"
}
}Multiple secrets
Define as many secrets as you need and wire them into any number of containers:
resource "bahriya_secret" "db_password" {
handle = "db-password"
name = "Database Password"
value = var.db_password
}
resource "bahriya_secret" "redis_url" {
handle = "redis-url"
name = "Redis URL"
value = var.redis_url
}
resource "bahriya_secret" "api_key" {
handle = "api-key"
name = "Third-Party API Key"
value = var.api_key
}Notes
- Secret handles are released on delete and can be reused.
- The
valuefield is sensitive. Terraform will not display it in plan output. - Secrets are organisation-scoped, not project-scoped. Any container in the organisation can mount a secret by handle.
- Changing the
valuetriggers an update. The container must be redeployed to pick up the new value.