# Terragrunt secrets management with Doppler

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1680873092952/2cb9d0c2-44b2-4ea7-996d-9ddf38036279.png align="center")

### Why Terragrunt and Doppler

With Infrastructure as Code, you may find yourself facing a circular dependency loop when it comes to secrets. Some services you self-host to help manage business applications won't exist before you create the infrastructure. So you need a place for infrastructure secrets.

Thankfully there are lots of options. We can use encrypted files, either within versional control or saved somewhere externally. There are managed solutions such as [HCP Vault](https://cloud.hashicorp.com/products/vault) or AWS Secrets Manager.

It was clear to see that Doppler is a great utility for developers to share secrets. But it's not a stretch to realise that Doppler can work for infrastructure secrets too.

In this article, I share the few steps required to get Doppler working with Terragrunt.

## Managing secrets with Terragrunt

Terragrunt proposes [3 ways of managing secrets](https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1).

1. Environment variables
    
2. Encrypted files
    
3. Secret stores
    

With Doppler, we can combine the simple use of *Environment variables* with a *secret store*.

## Using environment variables with Doppler

### Step 1: Defining the environment variable within our Terragrunt file

In the example Terragrunt file, we've decided to use an environment variable to prefix our bucket name. In a real-world example, you may have secrets or local variables that you don't want inside version control.

Reference your variable within a `terragrunt.hcl` by using the `get_env` function:

```bash
remote_state {
  # ...
  config = {
    bucket = "${get_env("TG_BUCKET_PREFIX", "")}-infrastructure"

    key = "terraform/${path_relative_to_include()}/terraform.tfstate"
    region = "${local.global.bucket_region}"
    encrypt = true

  }
}
```

### Step 2. Adding the environment variable to Doppler

Once logged into Doppler, you can select a project, then the project environment (eg. production) and add your environment variable there.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678216281223/052ab322-ccb3-4cc3-a306-bab34e379b1e.png align="center")

### Step 3. Configuring Doppler on your Terragrunt project

To be able to use Doppler within your project, you must first set up Doppler to connect it to the right project and environment.

Run the setup command and select a project:

```bash
doppler setup

# > Select a project:  [Use arrows to move, type to filter]
```

Select an environment (eg. production).

```bash
# > Select a config:  [Use arrows to move, type to filter]
```

Once done, you can view the secrets from Doppler by running:

```bash
doppler secrets
```

### Step 4. Injecting Doppler environment variables into Terragrunt commands

Finally, to run Terragrunt and inject secrets, we need to prefix the Terragrunt command with the Doppler `run` command.

```bash
doppler run -- terragrunt run-all plan
```

## Finished

In conclusion, using Doppler for Terragrunt secrets management is a powerful and effective way to ensure that your infrastructure as code is secure, well-protected and straightforward to use.

### Next steps

* How to get started with [Doppler](https://docs.doppler.com/docs/demo-videos).
