Terraform
Configure and manage keys
Configure your key management system (KMS) and HCP Terraform to use the hold your own key (HYOK) feature to encrypt your sensitive Terraform artifacts.
Background
HCP Terraform lets you configure multiple HYOK configurations for an organization. Each HYOK configuration corresponds to a single key in a KMS. Additional HYOK configurations can point to different keys in the same KMS, or keys in others KMSs.
When you set up HYOK, you designate one configuration as your organization's primary configuration. When you enable HYOK on a workspace, HCP Terraform automatically secures that workspace's artifacts using your organization's primary HYOK configuration.
Refer to How hold your own key concepts to learn more about the details of encryption and decryption.
Requirements
Note
Hold your own key is available on the HCP Terraform Premium edition. Refer to HCP Terraform pricing for details.
To use hold your own key, first ensure you meet the following requirements:
- Your organization has at least one agent pool, and you enable request forwarding on at least one agent in that pool.
- Configure healthy key management policies on your KMS to prevent data loss. Otherwise, if a key is deleted from a KMS while HCP Terraform is using it, you can experience state loss.
- Configure your workspaces to use Terraform 1.3+.
Create key configuration
To configure hold your own key, begin by letting your key management system accept the necessary OpenID Connect (OIDC) requests from HCP Terraform. Then, set up your keys and grant the necessary roles and permissions in your cloud provider.
To use Azure with HYOK, you need to configure the following:
- A Key Vault and encryption key.
- An Entra ID Application which trusts the OIDC credentials issued by HCP Terraform.
- A service principal in the application with permission to use your key.
Create a Key Vault and an encryption key
Create a Key Vault and key to secure your sensitive HCP Terraform artifacts:
- If you do not already have one, create a Key Vault using the Azure portal.
- Then, add a key to the Key Vault to use to secure your sensitive Terraform artifacts.
Take note of the key URI, which is in the format: https://<KEY_VAULT_NAME>.vault.azure.net/keys/<KEY_NAME>
. You will use this URI later to configure your key in HCP Terraform.
Create an Entra ID Application
Next, follow the steps to create the Application and Service
Principal.
Do not proceed to the Configure Microsoft Entra ID Application to Trust a
GitHub Repository step, and set your Application Redirect URI type to Web.
Also, take note of the client_id
and tenant_id
for your application. You
use these values to configure your key in HCP Terraform.
Configure Entra ID to trust HCP Terraform
Next, create federated identity credentials in your application, which validate the contents of the token sent to Azure from HCP Terraform.
Follow the steps in the AzureRM provider docs: Configure Azure Microsoft Entra ID Application to Trust a Generic Issuer, and use the values below when you add the credential.
Specify the following information in the Add a credential step:
- Federated credential scenario: Set to Other issuer.
- Issuer: The address of HCP Terraform,
https://app.terraform.io
. - Subject identifier: The subject identifier from HCP Terraform that this
credential will match. This is in the form
organization:<ORG_NAME>:hyok_config:<HYOK_CONFIG_NAME>
. The HYOK configuration name can contain letters, numbers, hyphens, and underscores. - Audience: Leave this as the default value,
api://AzureADTokenExchange
.
Make a note of the HYOK config name you choose here, you will use it later when you configure HCP Terraform.
Configure HYOK in HCP Terraform
Once you have configured your KMS with a key encryption key and the necessary OIDC trust relationship to HCP Terraform, you can create an HYOK configuration for your organization.
Each HYOK configuration in your organization represents a single KMS key encryption key with potentially multiple key versions. You can configure multiple keys in different HYOK configurations, across one or more KMSs. Follow the steps outlined above for each KMS you wish to use with HYOK.
Navigate to Organization Settings then HYOK Encryption. Open the HYOK configuration wizard by clicking Configure a key.
Choose an agent pool
On the first step of the wizard, select an agent pool that is hosting agents with request forwarding enabled.
HCP Terraform uses this agent pool to:
- Generate and encrypt data encryption keys for workspaces onboarded with HYOK.
- Re-encrypt data keys when an HYOK configuration is revoked.
- Connect to your KMS to check for new key versions.
The agent pool you specify is not used to perform Terraform runs. HCP Terraform
continues to use the agent pool specified in your workspace's execution mode
when performing runs. The agents running your workspace's operations do not require request forwarding, but you should update them to version 1.23.0
or later to use them with HYOK.
Configure OIDC settings
The next step of the wizard collects the information needed to authenticate to your KMS using OIDC. Select your KMS type and fill in the required information for your KMS provider.
To configure your OIDC connection in HCP Terraform, you need the following values from Azure:
- Application ID for your Entra ID Application. This is also called an Application (client) ID on the EntraID Application overview page.
- Tenant ID for your Entra ID Application. This is also called an Directory (tenant) ID on the EntraID Application overview page.
- Your Subscription ID from the Azure subscription overview page.
Configure key settings
On the final page of the wizard, tell HCP Terraform which key to use for this HYOK configuration.
Also, give your HYOK configuration a unique name to identify it. Your configuration name can be any combination of letters, numbers, hyphens, and underscores, and is included in the subject claim of HYOK JWTs that HCP Terraform issues. If you configured your KMS to match against your hyok_config
name, use the same name for your HYOK configuration.
To configure your key in HCP Terraform, you need the full Key URI for the key you created in Azure, which uses the format: https://<KEY_VAULT_NAME>.vault.azure.net/keys/<KEY_NAME>
Test the key configuration
To test your HYOK configuration, click Test Connection on the last step of the Configure a new key wizard. Clicking Test Connection tells HCP Terraform to attempt to authenticate to your KMS and test that basic encryption and decryption works.
Once a configuration is saved, you can also access the Test Connection button on the settings page for your HYOK configuration.
If HCP Terraform cannot successfully connect to your KMS and use your key to encrypt and decrypt data, it will display an error message. The most likely cause of failures are:
- There are no agents with Request Forwarding enabled running in the chosen Agent Pool.
- Permissions have not been set correctly in your KMS.
- The required resources are not fully provisioned in your KMS. In rare cases, it can take up to 15 minutes for keys to be accessible to HCP Terraform after creation, particularly for Azure and GCP.
Use a key configuration to encrypt a workspace
After you set up an HYOK configuration, you can use it to encrypt a workspace's artifacts.
When you enable HYOK for a workspace, HCP Terraform uses the primary configuration to secure that workspace's artifacts. When you revoke an HYOK configuration in HCP Terraform, HCP Terraform migrates all of the workspaces that used the revoked configuration to the new primary configuration.
To manually promote a configuration to primary, navigate to your organization's Settings, then to HYOK Encryption. Click Promote to primary on your desired HYOK configuration. HCP Terraform automatically promotes the first HYOK configuration with a status of Available.
Note
If you enable hold your own key encryption for a workspace, you cannot disable HYOK on that workspace.
To encrypt a workspace's artifacts using HYOK, go to the workspace's Settings, and navigate to HYOK Encryption. Check Enable HYOK for this workspace to enable HYOK for that workspace.
Once you enable HYOK on a workspace, HCP Terraform generates a data encryption key, connects to your KMS to encrypt it with your key encryption key, and stores the encrypted DEK.
Any future runs on your workspace will now produce encrypted state and plan files. You can test this by performing a run. State versions are annotated with the name of the HYOK configuration HCP Terraform used to them.
Revoke a key configuration
HCP Terraform keeps track of which HYOK configurations secure each of your workspace's artifacts. If you want to stop using a given KEK or a specific key version, you can revoke that key configuration within HCP Terraform. For example, if a key version is old or has been leaked, revoking it in HCP Terraform instructs the platform to stop using that key for encryption and to migrate all existing data off of it.
Note that HCP Terraform does not manage keys within your KMS. Revoking a key configuration in HCP Terraform does not revoke that key within your KMS. Revoking a key configuration in HCP Terraform lets you migrate data off of the key so that you can then revoke and safely delete the corresponding key from your KMS.
To revoke a key configuration:
- Navigate to your organization's Settings.
- Then to HYOK Encryption.
- Click the Revoke button next to the HYOK configuration you want to revoke.
When you revoke a key configuration, HCP Terraform migrates all of the workspaces that used that configuration to the primary configuration. If you have not set a primary configuration, HCP Terraform automatically promotes the first available HYOK configuration to primary when you revoke your primary configuration.
When you revoke a key version, HCP Terraform automatically re-secures all of the artifacts it currently secures with the latest version of the same key.
When you revoke a key or key version, HCP Terraform does not need to directly re-encrypt all the artifacts it secures. Instead, HCP Terraform uses an HCP Terraform agent to re-encrypt all of the DEKs that are encrypted with that key. This makes the re-encryption process much quicker and requires less transferring data than re-encrypting the artifacts themselves.
In order to safely revoke a key being used by HCP Terraform in your KMS, you must:
- Revoke the key in HCP Terraform.
- Wait until all workspaces have been migrated off of the key, which you can check on the the HYOK Encryption page.
- Revoke the key in the KMS itself.