# Infisical Terraform Provider The Infisical Terraform Provider enables infrastructure-as-code management of secrets, identities, projects, and integrations within the Infisical secrets management platform. It provides comprehensive resources for creating and managing secrets, machine identities with various authentication methods (Universal Auth, AWS IAM, Azure, GCP, Kubernetes, OIDC), projects with custom environments and roles, secret syncs to external services, dynamic secrets, KMS keys, and certificate management. The provider supports both Infisical Cloud (app.infisical.com) and self-hosted instances. Authentication is handled through machine identities using Universal Auth, AWS IAM Auth, Kubernetes Auth, OIDC Auth, or Token Auth. Core functionality includes reading and writing secrets, managing access controls through approval policies, syncing secrets to cloud providers (AWS, Azure, GCP) and CI/CD platforms (GitHub, GitLab, CircleCI), rotating credentials automatically, and issuing PKI certificates. ## Provider Configuration Configure the Infisical provider with authentication credentials. Universal Auth is the most common method using client ID and secret. ```terraform terraform { required_providers { infisical = { source = "infisical/infisical" # version = "" } } } provider "infisical" { host = "https://app.infisical.com" # Default, only change for self-hosted auth = { # Optional: scope session to a sub-organization # organization_slug = "my-sub-org" universal = { client_id = var.infisical_client_id client_secret = var.infisical_client_secret } } } # Alternative: Kubernetes Auth (for pods running in Kubernetes) provider "infisical" { host = "https://app.infisical.com" auth = { kubernetes = { identity_id = "your-machine-identity-id" # Uses /var/run/secrets/kubernetes.io/serviceaccount/token by default } } } # Alternative: AWS IAM Auth (for AWS workloads) provider "infisical" { host = "https://app.infisical.com" auth = { aws_iam = { identity_id = "your-machine-identity-id" } } } ``` ## infisical_secrets Data Source Fetch all secrets from a specific environment and folder path in an Infisical project. Returns a map of secret names to their values and metadata. ```terraform data "infisical_secrets" "app_secrets" { env_slug = "prod" workspace_id = "507f1f77bcf86cd799439011" # Project ID folder_path = "/backend" } # Access individual secret value output "database_url" { value = data.infisical_secrets.app_secrets.secrets["DATABASE_URL"].value sensitive = true } # Access secret comment/metadata output "api_key_comment" { value = data.infisical_secrets.app_secrets.secrets["API_KEY"].comment } # Use secrets in other resources resource "aws_lambda_function" "api" { function_name = "my-api" runtime = "nodejs18.x" handler = "index.handler" role = aws_iam_role.lambda.arn filename = "lambda.zip" environment { variables = { DB_HOST = nonsensitive(data.infisical_secrets.app_secrets.secrets["DB_HOST"].value) DB_PORT = nonsensitive(data.infisical_secrets.app_secrets.secrets["DB_PORT"].value) } } } ``` ## infisical_secret Resource Create and manage individual secrets in Infisical with support for tags, reminders, and metadata. ```terraform resource "infisical_secret_tag" "managed" { project_id = var.project_id name = "terraform-managed" slug = "terraform-managed" color = "#2563EB" } resource "infisical_secret" "database_password" { name = "DATABASE_PASSWORD" value = random_password.db.result env_slug = "prod" workspace_id = var.project_id folder_path = "/database" tag_ids = [infisical_secret_tag.managed.id] metadata = { "rotated_by" = "terraform" "last_rotation" = timestamp() } secret_reminder = { note = "Rotate this password quarterly" repeat_days = 90 } } # Write-only secret (Terraform 1.11+) - value not stored in state resource "infisical_secret" "api_key" { name = "STRIPE_API_KEY" value_wo = var.stripe_api_key # Not stored in Terraform state value_wo_version = 1 # Increment to trigger updates env_slug = "prod" workspace_id = var.project_id folder_path = "/payments" } resource "random_password" "db" { length = 32 special = true } ``` ## infisical_secret Ephemeral Resource Read secrets as ephemeral values that are never stored in Terraform state. Requires Terraform 1.10+. ```terraform ephemeral "infisical_secret" "db_username" { name = "POSTGRES_USERNAME" env_slug = "prod" workspace_id = var.project_id folder_path = "/" } ephemeral "infisical_secret" "db_password" { name = "POSTGRES_PASSWORD" env_slug = "prod" workspace_id = var.project_id folder_path = "/" } locals { db_credentials = { username = ephemeral.infisical_secret.db_username.value password = ephemeral.infisical_secret.db_password.value } } # Use ephemeral secrets to configure database provider provider "postgresql" { host = var.db_host port = 5432 database = "myapp" username = local.db_credentials.username password = local.db_credentials.password sslmode = "require" } ``` ## infisical_project Resource Create and manage Infisical projects for secrets management, KMS, or certificate management. ```terraform resource "infisical_project" "backend" { name = "Backend Services" slug = "backend-services" description = "Secrets for all backend microservices" type = "secret-manager" # secret-manager, kms, or cert-manager should_create_default_envs = true # Creates dev, staging, prod audit_log_retention_days = 90 has_delete_protection = true } resource "infisical_project_environment" "qa" { name = "QA" slug = "qa" project_id = infisical_project.backend.id position = 2 # Ordering in UI } resource "infisical_secret_folder" "api" { name = "api" environment_slug = "prod" folder_path = "/" project_id = infisical_project.backend.id } output "project_id" { value = infisical_project.backend.id } ``` ## infisical_identity Resource Create machine identities with various authentication methods for programmatic access. ```terraform # Create identity with Universal Auth resource "infisical_identity" "ci_pipeline" { name = "ci-pipeline" role = "member" org_id = var.org_id metadata = [ { key = "team", value = "platform" }, { key = "purpose", value = "CI/CD deployments" } ] } resource "infisical_identity_universal_auth" "ci_pipeline" { identity_id = infisical_identity.ci_pipeline.id access_token_ttl = 3600 # 1 hour access_token_max_ttl = 86400 # 24 hours access_token_num_uses_limit = 0 # Unlimited client_secret_trusted_ips { ip_address = "10.0.0.0/8" } } resource "infisical_identity_universal_auth_client_secret" "ci_pipeline" { identity_id = infisical_identity.ci_pipeline.id depends_on = [infisical_identity_universal_auth.ci_pipeline] } output "client_id" { value = infisical_identity.ci_pipeline.id } output "client_secret" { value = infisical_identity_universal_auth_client_secret.ci_pipeline.client_secret sensitive = true } # Create identity with AWS IAM Auth resource "infisical_identity" "aws_workload" { name = "aws-lambda-workload" role = "member" org_id = var.org_id } resource "infisical_identity_aws_auth" "aws_workload" { identity_id = infisical_identity.aws_workload.id access_token_ttl = 3600 allowed_principal_arns = ["arn:aws:iam::123456789012:role/LambdaExecutionRole"] allowed_account_ids = ["123456789012"] } # Create identity with Kubernetes Auth resource "infisical_identity" "k8s_app" { name = "k8s-application" role = "member" org_id = var.org_id } resource "infisical_identity_kubernetes_auth" "k8s_app" { identity_id = infisical_identity.k8s_app.id kubernetes_host = "https://kubernetes.default.svc" token_reviewer_jwt = var.k8s_reviewer_jwt allowed_namespaces = ["production", "staging"] } ``` ## infisical_project_identity Resource Assign identities to projects with specific roles and permissions. ```terraform resource "infisical_project_identity" "ci_access" { project_id = infisical_project.backend.id identity_id = infisical_identity.ci_pipeline.id roles = [ { role_slug = "admin" } ] } # Temporary access with expiration resource "infisical_project_identity" "contractor" { project_id = infisical_project.backend.id identity_id = infisical_identity.contractor.id roles = [ { role_slug = "member" is_temporary = true temporary_mode = "relative" temporary_range = "7d" temporary_access_start_time = timestamp() } ] } ``` ## infisical_project_role Resource Create custom roles with fine-grained permissions for projects. ```terraform resource "infisical_project_role" "secret_reader" { project_slug = infisical_project.backend.slug name = "Secret Reader" slug = "secret-reader" description = "Read-only access to secrets in specific environments" permissions_v2 = [ { subject = "secrets" action = ["read"] conditions = jsonencode({ environment = { "$in" = ["dev", "staging"] } }) } ] } resource "infisical_project_role" "deployer" { project_slug = infisical_project.backend.slug name = "Deployer" slug = "deployer" description = "Can read secrets and manage integrations" permissions_v2 = [ { subject = "secrets" action = ["read"] conditions = jsonencode({ environment = { "$eq" = "prod" } secretPath = { "$glob" = "/deploy/*" } }) }, { subject = "integrations" action = ["read", "create", "edit", "delete"] }, { subject = "secret-rollback" action = ["read", "create"] } ] } ``` ## infisical_secret_sync_aws_secrets_manager Resource Sync secrets from Infisical to AWS Secrets Manager automatically. ```terraform resource "infisical_app_connection_aws" "main" { name = "aws-production" description = "AWS production account connection" method = "assume-role" credentials = { assume_role = { role_arn = "arn:aws:iam::123456789012:role/InfisicalSyncRole" } } } resource "infisical_secret_sync_aws_secrets_manager" "prod_secrets" { name = "prod-secrets-sync" description = "Sync production secrets to AWS" project_id = infisical_project.backend.id environment = "prod" secret_path = "/" connection_id = infisical_app_connection_aws.main.id auto_sync_enabled = true sync_options = { initial_sync_behavior = "overwrite-destination" sync_secret_metadata_as_tags = true aws_kms_key_id = "alias/infisical-secrets" tags = [ { key = "Environment", value = "production" }, { key = "ManagedBy", value = "Infisical" } ] } destination_config = { aws_region = "us-east-1" mapping_behavior = "one-to-one" # Each secret becomes its own AWS secret } } # Many-to-one mapping: all secrets in single AWS secret resource "infisical_secret_sync_aws_secrets_manager" "app_config" { name = "app-config-sync" project_id = infisical_project.backend.id environment = "prod" secret_path = "/app-config" connection_id = infisical_app_connection_aws.main.id sync_options = { initial_sync_behavior = "import-prioritize-source" } destination_config = { aws_region = "us-east-1" mapping_behavior = "many-to-one" aws_secrets_manager_secret_name = "myapp/config" } } ``` ## infisical_dynamic_secret_aws_iam Resource Create dynamic AWS IAM credentials that are generated on-demand with automatic expiration. ```terraform resource "infisical_dynamic_secret_aws_iam" "developer_access" { name = "aws-dev-credentials" project_slug = infisical_project.backend.slug environment_slug = "dev" path = "/dynamic" default_ttl = "1h" max_ttl = "4h" username_template = "infisical-{{randomUsername}}" configuration = { method = "assume_role" region = "us-east-1" assume_role_config = { role_arn = "arn:aws:iam::123456789012:role/InfisicalDynamicRole" } policy_document = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["s3:GetObject", "s3:ListBucket"] Resource = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] } ] }) policy_arns = "arn:aws:iam::aws:policy/ReadOnlyAccess" user_groups = "developers" } metadata = [ { key = "purpose", value = "development access" } ] } ``` ## infisical_secret_approval_policy Resource Create approval workflows requiring sign-off before secret changes take effect. ```terraform resource "infisical_group" "approvers" { name = "secret-approvers" slug = "secret-approvers" role = "member" } resource "infisical_secret_approval_policy" "prod_secrets" { project_id = infisical_project.backend.id name = "Production Secret Changes" environment_slugs = ["prod"] secret_path = "/" required_approvals = 2 enforcement_level = "hard" # Blocks changes without approval allow_self_approval = false approvers = [ { type = "group" id = infisical_group.approvers.id }, { type = "user" username = "security-lead@company.com" } ] } resource "infisical_access_approval_policy" "sensitive_access" { project_id = infisical_project.backend.id name = "Sensitive Data Access" environment_slugs = ["prod"] secret_path = "/sensitive" required_approvals = 1 enforcement_level = "soft" # Warns but allows override approvers = [ { type = "user" username = "admin@company.com" } ] } ``` ## infisical_kms_key Resource Create and manage encryption keys in Infisical's Key Management Service. ```terraform resource "infisical_project" "kms_project" { name = "Key Management" slug = "key-management" type = "kms" } resource "infisical_kms_key" "data_encryption" { project_id = infisical_project.kms_project.id name = "data-encryption-key" description = "AES key for encrypting sensitive data" key_usage = "encrypt-decrypt" encryption_algorithm = "aes-256-gcm" } resource "infisical_kms_key" "signing_key" { project_id = infisical_project.kms_project.id name = "document-signing-key" description = "RSA key for signing documents" key_usage = "sign-verify" encryption_algorithm = "RSA_4096" is_disabled = false } data "infisical_kms_key_public_key" "signing" { key_id = infisical_kms_key.signing_key.id } output "signing_public_key" { value = data.infisical_kms_key_public_key.signing.public_key } ``` ## infisical_cert_manager_certificate Resource Request and manage X.509 certificates from Infisical PKI. ```terraform resource "infisical_project" "pki_project" { name = "Certificate Management" slug = "cert-management" type = "cert-manager" } resource "infisical_cert_manager_certificate" "api_cert" { profile_id = var.cert_profile_id common_name = "api.example.com" alt_names = ["api.example.com", "api-internal.example.com"] organization = "Example Corp" country = "US" province = "California" locality = "San Francisco" key_algorithm = "RSA_2048" signature_algorithm = "RSA-SHA256" ttl = "90d" timeout_seconds = 300 key_usages = ["digital_signature", "key_encipherment"] extended_key_usages = ["server_auth", "client_auth"] } output "certificate_pem" { value = infisical_cert_manager_certificate.api_cert.certificate } output "certificate_chain" { value = infisical_cert_manager_certificate.api_cert.certificate_chain } output "private_key" { value = infisical_cert_manager_certificate.api_cert.private_key sensitive = true } # Use with AWS ALB resource "aws_acm_certificate" "api" { private_key = infisical_cert_manager_certificate.api_cert.private_key certificate_body = infisical_cert_manager_certificate.api_cert.certificate certificate_chain = infisical_cert_manager_certificate.api_cert.certificate_chain } ``` ## infisical_secret_import Resource Import secrets from one environment/path to another, enabling secret reuse across environments. ```terraform # Import shared secrets from a common folder resource "infisical_secret_import" "shared_to_prod" { project_id = infisical_project.backend.id environment_slug = "prod" folder_path = "/app" import_environment_slug = "prod" import_folder_path = "/shared" is_replication = false # Reference, not copy } # Replicate staging secrets to QA (creates copies) resource "infisical_secret_import" "staging_to_qa" { project_id = infisical_project.backend.id environment_slug = "qa" folder_path = "/" import_environment_slug = "staging" import_folder_path = "/" is_replication = true # Creates copies that can be modified } ``` ## infisical_group Resource Create groups for organizing users and managing permissions collectively. ```terraform resource "infisical_group" "backend_team" { name = "Backend Team" slug = "backend-team" role = "member" } resource "infisical_group" "security_team" { name = "Security Team" slug = "security-team" role = "admin" } resource "infisical_project_group" "backend_access" { project_id = infisical_project.backend.id group_id = infisical_group.backend_team.id roles = [ { role_slug = infisical_project_role.deployer.slug } ] } ``` ## Summary The Infisical Terraform Provider is ideal for organizations implementing secrets management as code, enabling GitOps workflows for secret lifecycle management. Common use cases include bootstrapping new projects with standardized secret structures, provisioning machine identities for CI/CD pipelines, automating secret rotation schedules, syncing secrets to cloud providers and deployment targets, and enforcing approval workflows for production secret changes. The provider integrates seamlessly with existing Terraform infrastructure code, allowing secrets to be managed alongside the resources that consume them. Integration patterns typically involve creating a central secrets project, defining machine identities with appropriate authentication methods (Universal Auth for general use, AWS IAM Auth for AWS workloads, Kubernetes Auth for Kubernetes pods), assigning identities to projects with custom roles, and setting up secret syncs to external systems like AWS Secrets Manager, Azure Key Vault, or GitHub Actions. For sensitive environments, approval policies ensure human review before changes take effect. The ephemeral resources feature (Terraform 1.10+) is particularly valuable for keeping sensitive credentials out of Terraform state entirely, making it safer to use secrets for configuring database providers, cloud APIs, and other sensitive connections.