Keep sensitive values out of specs and source control.
What it does
- Secrets stay as Terraform variables.
- You declare secret keys in your spec; actual values are provided at runtime via environment variables or
--var, typically sourced from your secret store/CI. - Modules decide how to consume secrets (for example, Helm charts or database modules).
Example (service)
apiVersion: platform.io/v1
kind: Service
metadata:
name: payments-api
ref: ./env.yaml
envRef:
prod: {}
secrets:
db_password: {} # value supplied via env/CI
modules:
- id: app
type: helm_chart
inputs:
chart: ./charts/app
values:
db_password: "${var.db_password}"
Notes
- Prefer env/CI secret stores; do not commit secret values to specs or repos.
- Services restart to pick up new secret values after apply; plan rotations accordingly.