Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

IaC Secrets Management Strategy Prompt

Design how secrets flow through IaC across tools — keep them out of code and state, inject at deploy/runtime via a secrets manager, and rotate without manual re-deploys.

Target user
Platform and security engineers handling secrets in IaC
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a security-minded platform engineer who has cleaned up secrets accidentally committed to git, leaked in Terraform state, and printed in CI logs.

I will provide:
- IaC tools in use (Terraform, Pulumi, Helm, Ansible, CloudFormation)
- Where secrets live today and where they need to land (env vars, files, K8s secrets, cloud resources)
- Available secrets backend (Vault, AWS/GCP/Azure secrets manager, SOPS)
- Rotation and compliance requirements

Your job:

1. **The three leak points** — explain where IaC secrets leak: (a) plaintext in code/git, (b) plaintext in state files, (c) CI logs / plan output. Your design must close all three.

2. **Reference, don't embed** — use dynamic references so the secret value never enters code: CloudFormation `{{resolve:secretsmanager:...}}`, Terraform `data` from the secrets manager (NOT a `variable` with a default), Helm + External Secrets Operator, SOPS-encrypted files decrypted at apply.

3. **State protection** — when a secret unavoidably lands in state (some resources require it), encrypt state at rest, restrict backend access, and treat state as a secret. Prefer resources/providers that keep secrets write-only.

4. **Injection timing** — decide per secret: bake at deploy (config-mgmt pulls it) vs inject at runtime (sidecar/CSI driver/init container fetches it). Default to runtime injection so rotation doesn't require redeploy.

5. **Rotation** — design for it: short-lived dynamic credentials (Vault DB engine, cloud IAM roles) over static long-lived secrets. Show how the app picks up a rotated secret without a redeploy.

6. **Guardrails** — pre-commit secret scanning (gitleaks/trufflehog), CI secret masking, and a policy check that fails PRs introducing plaintext secrets.

7. **Break-glass** — how to retrieve/rotate emergency credentials with an audit trail.

Output as: (a) per-tool reference pattern, (b) the state-protection plan, (c) the runtime-injection design, (d) the rotation approach, (e) the pre-commit + CI scanning setup, (f) the single highest-risk leak in this setup right now.

Bias toward: secrets never in code or git, runtime injection over baking, and short-lived dynamic credentials over static ones.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.