Skip to main content

Claude/ChatGPT Prompt to Manage Secrets with AWS Secrets Manager in Terraform

Get a Terraform pattern for AWS Secrets Manager: generated secrets, rotation, least-privilege IAM, KMS, and a migration path off hardcoded envs.

Fill in the placeholders

Edit the values, then copy your finished prompt.

Your Prompt
prompt.txt

                                

What this prompt does

This prompt casts the AI as a senior cloud security engineer and asks it to return working Terraform HCL for storing application secrets in AWS Secrets Manager. Instead of vague advice, it forces a concrete pattern: secrets generated inside Terraform, rotation wired through a Lambda, IAM scoped to least privilege, and a KMS key to encrypt everything. The framing "return working HCL, not pseudocode" pushes the model past hand-waving and into code you can actually terraform plan.

The four placeholders steer the output to your environment. [consuming_services] tells the model which principals get read/decrypt IAM (so the policy isn't a wildcard), [rotation_cadence] sets the rotation schedule on the Lambda, [kms_strategy] decides whether you get a shared key or a dedicated customer-managed key per environment, and [current_secret_state] shapes the migration path — moving off a committed .env looks different from moving off SSM Parameter Store.

When to use it

  • You inherited an app where secrets live in a committed .env and need them out of source control safely.
  • You're standing up a new AWS service and want secrets, rotation, and IAM wired in one pass.
  • You need least-privilege IAM scoped to specific consumers instead of a broad secretsmanager:* policy.
  • You want automated rotation but aren't sure how to structure the Lambda rotation function in Terraform.
  • You're setting up a dedicated KMS key per environment and need the key policy written correctly.
  • You need a documented cutover and rollback plan before touching production secrets.

Example output

Expect two things: a set of HCL blocks and a written runbook. The HCL covers aws_secretsmanager_secret, a random_password resource so plaintext never enters your config, a rotation schedule pointing at a Lambda, scoped IAM policy documents, and a KMS key with rotation enabled. The runbook walks the migration from [current_secret_state] through cutover, a first rotation test, and a rollback step. It also includes guidance on reading secrets at runtime rather than baking them into images or Terraform state.

Pro tips

  • Fill [consuming_services] precisely — "ECS tasks and a Lambda API" produces tighter IAM than "my backend." Vague consumers give you vague policies.
  • Watch deliverable 1: never pass a plaintext secret through a Terraform variable. It lands in state. Always generate (via random_password) or inject it out-of-band.
  • Set [rotation_cadence] to a real number like "every 30 days, automated" so the model configures an actual schedule, not a placeholder comment.
  • For [kms_strategy], a dedicated customer-managed key per environment costs a little more but isolates blast radius — say so explicitly if that's what you want.
  • After generating, run the first rotation test from the runbook in a non-prod account before trusting it in production.
  • If your state file is local, fix that first — secrets in remote encrypted state with locking is the baseline this pattern assumes.

Frequently Asked Questions

Does this prompt prevent secrets from ending up in Terraform state?
Partly. It generates secrets with a random_password resource so plaintext never enters your code, but Terraform-managed secrets still appear in state. That's why the prompt emphasizes encrypted remote state and never passing plaintext through input variables.
What does [current_secret_state] actually change in the output?
It shapes the migration path and runbook. Moving off a committed .env file produces a different cutover and rollback sequence than migrating from SSM Parameter Store or hardcoded environment values, so describing your real starting point matters.
Can I use a single shared KMS key instead of one per environment?
Yes. Set [kms_strategy] to describe a shared key and the prompt will adjust the key policy accordingly. A dedicated customer-managed key per environment isolates blast radius better, but a shared key is simpler and cheaper.
Will the generated rotation actually work out of the box?
It gives you a rotation Lambda wired to your cadence, but rotation logic depends on your specific datastore and credential format. Always run the first rotation test from the runbook in a non-production account before relying on it.
Engr Mejba Ahmed

Need this built for real?

Engr Mejba Ahmed

AI Developer · Software Engineer

I'm Mejba — I design and ship production AI systems, automations, and full-stack apps. If you want this turned into a working solution for your team, let's talk.

More in Terraform & Infrastructure as Code Prompts

Engr Mejba Ahmed

Engr Mejba Ahmed

Claude Code Expert · Online

👋

Hey there!

Quick Actions

WhatsApp Instant reply

Chat on WhatsApp

+880 1723 741224 · Instant reply

Popular Questions

Engr Mejba Ahmed is connected
Engr Mejba Ahmed is typing...
Engr Mejba Ahmed avatar

✉ Want me to follow up? Drop your email

Engr Mejba Ahmed avatar

📞 Connect Directly

Choose how you'd like to reach me

WhatsApp

+880 1723 741224

Email

[email protected]

✓ Details sent! I'll get back to you shortly.

Powered by OpenAI

335+

Blog Posts

25

AI Courses

63

Projects

Services & Expertise

Pricing & Process

Learning & Resources

Connect & Support