infisical-terraform
Infisical Terraform Provider
Help users confidently integrate Infisical secret management with their Terraform infrastructure.
What users typically ask for
- "How do I use Infisical with Terraform?" — Provider setup and auth
- "How do I prevent secrets in my Terraform state?" — Ephemeral resources
- "How do I set up Terraform Cloud with Infisical?" — OIDC integration
- "How do I configure project roles and permissions?" — Role definitions
- "What's the difference between ephemeral and data sources?" — Resource patterns
Quick routing
- Provider authentication, configuration, env vars → Provider Setup
- HCL resources: infisical_secret, data sources, project roles, access approval → Resources & Data Sources
- Terraform Cloud OIDC integration, machine identity setup → Terraform Cloud OIDC
Key principles to uphold
- Ephemeral over state: Always recommend
ephemeralresources (Terraform 1.10+) for secrets—values never land in state files. - Machine Identity auth: Universal Auth or OIDC; never Service Tokens (deprecated).
- Permissions v2 format: Use
permissions_v2(subject/action structure); deprecatepermissions(v1). - OIDC for Terraform Cloud: This is the recommended production pattern.
- Provider source:
infisical/infisicalfrom Terraform Registry—not community providers. - Folder path defaults:
folder_path = "/"if omitted.
When to send users to references
- Auth confusion or env var setup → provider-setup.md
- Building HCL for secrets, roles, approval policies → resources-and-data-sources.md
- TFC + Infisical step-by-step → terraform-cloud-oidc.md
More from infisical/ai-skills
infisical-secret-syncs
Guide for configuring Infisical Secret Syncs to push secrets from Infisical to third-party services. Covers 38+ sync destinations including AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, GitHub, Vercel, HashiCorp Vault, Cloudflare, and more. Use this skill when someone asks about: syncing secrets to AWS/GCP/Azure, pushing secrets to GitHub Actions, Vercel environment variables, secret sync setup, App Connections, mapping behavior, key schemas, or 'how do I get my Infisical secrets into [service]'.
25infisical-api
Interact with the Infisical REST API to manage secrets, projects, environments, machine identities, and more. Supports secret CRUD operations, machine identity authentication, pagination, and rate limiting on cloud deployments.
22infisical-agent
Guide for configuring the Infisical Agent — a client daemon that manages token lifecycle and renders secrets via Go templates without modifying application code. Covers the full YAML config format, all 6 auth methods (Universal Auth, Kubernetes, AWS IAM, Azure, GCP ID Token, GCP IAM), sinks, template functions (listSecrets, listSecretsByProjectSlug, getSecretByName, dynamicSecret), polling, on-change commands, and caching. Use this skill when someone asks about: Infisical Agent, agent config file, agent templates, rendering secrets to files, sidecar secret injection, token renewal, infisical agent command, or 'how do I use the Infisical Agent to inject secrets'.
21infisical-dynamic-secrets
Guide for configuring Infisical Dynamic Secrets — on-demand, short-lived credentials for databases, cloud IAM, SSH, and Kubernetes. Covers 27 providers including PostgreSQL, MySQL, Redis, MongoDB, AWS IAM, GCP IAM, SSH certificates, Kubernetes service accounts, and more. Use this skill when someone asks about: dynamic secrets, ephemeral database credentials, short-lived tokens, rotating database users, dynamic PostgreSQL/MySQL/Redis credentials, SSH certificates, temporary AWS IAM users, or 'how do I generate temporary credentials with Infisical'.
20infisical-user-setup-guide
Interactive setup guide for using Infisical as a secret management tool in your projects. Helps users integrate Infisical into local development (CLI), Docker containers (build-time and runtime secret injection), CI/CD pipelines (GitHub Actions, GitLab CI), Kubernetes (Operator + CRDs), and application code (Node.js, Python, Go, Java, .NET, Ruby SDKs). Also walks through choosing and configuring machine identity auth methods (Universal Auth, AWS Auth, Kubernetes Auth, OIDC, etc.). Use this skill whenever someone asks about: using Infisical, injecting secrets, infisical run, infisical init, connecting their app to Infisical, Docker secrets, Kubernetes secrets operator, machine identity setup, SDK initialization, CI/CD secret injection, or 'how do I get my secrets into my app'.
20infisical-self-host
Deploy and operate Infisical self-hosted instances with Docker, Docker Compose, and Kubernetes. Covers architecture, environment variables, ENCRYPTION_KEY management, database setup, Redis configuration, production hardening, FIPS compliance, scaling, and high availability patterns.
16