Secret Management - All Providers

Overview

ALL HOLE Foundation cloud provider credentials are stored in dotenvx (centralized, encrypted secret management).

dotenvx Location: /Volumes/HOLE-RAID-DRIVE/dotenvx Version: v1.51.4 Encryption: Yes (encrypted at rest) Audit: Yes (docs/AUDIT_LOG.md)

---

Secrets by Provider

Cloudflare

Secret Name	Type	Length	Used By
CLOUDFLARE_API_TOKEN	API Token	40 chars	Terraform, cf-terraforming, Wrangler

Value: Nrgt3EdfAj5JbnEu-AH_79Qg5LiKpRu8TZNwh8aj

Loading:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx get CLOUDFLARE_API_TOKEN

Environment Variables (for Terraform):

export CF_API_TOKEN="$(dotenvx get CLOUDFLARE_API_TOKEN)"
export TF_VAR_cloudflare_api_token="$CF_API_TOKEN"

Auto-loaded by:

• terraform/cloudflare/foundation/tf-with-dotenvx.sh
• terraform/cloudflare/foundation/import-with-dotenvx.sh

AWS

Secret Name	Type	Used By
AWS_ACCESS_KEY_ID	Access Key	Terraform, AWS CLI, SDKs
AWS_SECRET_ACCESS_KEY	Secret Key	Terraform, AWS CLI, SDKs

Loading:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
export AWS_ACCESS_KEY_ID=$(dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(dotenvx get AWS_SECRET_ACCESS_KEY)

Terraform Variables:

export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

Account: 420073135340 Region: us-east-1

Azure

Authentication Method: Azure CLI (not dotenvx)

Current Login: joe@theholetruth.org

Verification:

az account show

Re-authenticate (if needed):

az login
az account set --subscription "de602062-dafa-4c8b-91b7-98a75bcd7cff"

No secret in dotenvx - Azure uses interactive browser login with cached credentials.

Terraform Cloud

Secret Name	Type	Used By
TF_CLOUD_TOKEN	API Token	Terraform Cloud API, terraform-mcp-server

Stored in: dotenvx (TBD - may need to add)

Creating Token:

1. Go to https://app.terraform.io/app/settings/tokens
2. Create new API token
3. Add to dotenvx:

   cd /Volumes/HOLE-RAID-DRIVE/dotenvx
   dotenvx set TF_CLOUD_TOKEN "your-token"
   

---

Secret Loading Patterns

Pattern 1: Wrapper Script (Cloudflare)

File: terraform/cloudflare/foundation/tf-with-dotenvx.sh

#!/bin/bash
# Automatically loads secrets and runs Terraform

export CF_API_TOKEN=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get CLOUDFLARE_API_TOKEN)
export TF_VAR_cloudflare_api_token="$CF_API_TOKEN"

terraform "$@"

Usage:

./tf-with-dotenvx.sh plan
./tf-with-dotenvx.sh apply

Benefits:

• ✅ No manual secret loading
• ✅ Secrets never in shell history
• ✅ Consistent across team
• ✅ Easy to use

Pattern 2: Manual Export (AWS)

# Load secrets
cd /Volumes/HOLE-RAID-DRIVE/dotenvx
export AWS_ACCESS_KEY_ID=$(dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(dotenvx get AWS_SECRET_ACCESS_KEY)
export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

# Use Terraform
cd /path/to/workspace
terraform plan

When to use: AWS doesn't have a wrapper script yet (could create one)

Pattern 3: Ambient Authentication (Azure)

Azure CLI provides authentication - no explicit secret loading needed.

# Just verify authentication
az account show

# Then use Terraform
terraform plan

---

dotenvx Commands

View Secrets

cd /Volumes/HOLE-RAID-DRIVE/dotenvx

# List all secrets (as JSON)
dotenvx get --all

# Get specific secret
dotenvx get CLOUDFLARE_API_TOKEN
dotenvx get AWS_ACCESS_KEY_ID

Add/Update Secrets

cd /Volumes/HOLE-RAID-DRIVE/dotenvx

# Add or update secret
dotenvx set SECRET_NAME "secret-value"

# Example: Rotate Cloudflare token
dotenvx set CLOUDFLARE_API_TOKEN "new-token-here"

Secret Rotation

When rotating any secret:

1. Create new secret in provider dashboard
2. Update dotenvx:

   dotenvx set SECRET_NAME "new-value"
   

3. Test with new secret
4. Revoke old secret in provider
5. Update audit log:

   echo "$(date): Rotated SECRET_NAME" >> docs/AUDIT_LOG.md
   

---

Environment Variable Naming

Different tools expect different variable names:

Cloudflare

Tool	Variable Name	Value From
cf-terraforming	CF_API_TOKEN	dotenvx get CLOUDFLARE_API_TOKEN
Terraform provider	TF_VAR_cloudflare_api_token	dotenvx get CLOUDFLARE_API_TOKEN
Wrangler	CLOUDFLARE_API_TOKEN	dotenvx get CLOUDFLARE_API_TOKEN

Solution: Export all three:

TOKEN=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get CLOUDFLARE_API_TOKEN)
export CF_API_TOKEN="$TOKEN"
export TF_VAR_cloudflare_api_token="$TOKEN"
export CLOUDFLARE_API_TOKEN="$TOKEN"

AWS

Tool	Variable Names	Value From
Terraform	TF_VAR_aws_access_key, TF_VAR_aws_secret_key	dotenvx get AWS_*
AWS CLI	AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY	dotenvx get AWS_*
AWS SDKs	AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY	dotenvx get AWS_*

Solution: Export both sets:

export AWS_ACCESS_KEY_ID=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_SECRET_ACCESS_KEY)
export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

---

Security Best Practices

DO

✅ Always load from dotenvx (single source of truth) ✅ Use wrapper scripts where available ✅ Export to env vars (not hardcode) ✅ Rotate secrets regularly (quarterly) ✅ Update audit log when changing secrets ✅ Use separate secrets for dev/prod (if applicable)

NEVER

❌ Commit secrets to git ❌ Hardcode secrets in .tf files ❌ Echo secrets in scripts (use ${#VAR} for length only) ❌ Share secrets in chat/email ❌ Store secrets in plaintext outside dotenvx ❌ Use same secret across multiple accounts (if possible)

Protected Files

These files must be in .gitignore:

*.auto.tfvars
terraform.tfvars
.env
.env.keys
.env.vault
terraform.tfstate
terraform.tfstate.backup

---

Secrets Inventory

Current Secrets in dotenvx

Cloud Providers:

• CLOUDFLARE_API_TOKEN - Cloudflare Foundation + Personal accounts
• AWS_ACCESS_KEY_ID - AWS Foundation account (420073135340)
• AWS_SECRET_ACCESS_KEY - AWS Foundation account

Services:

• ANTHROPIC_API_KEY - Claude API
• GREPTILE_API_KEY - Greptile MCP
• DATABASE_URL - Neon PostgreSQL
• AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET - Auth0
• TURNSTILE_SECRET_KEY - Cloudflare Turnstile
• [More in dotenvx]

Total: 13+ secrets across all services

Secrets NOT in dotenvx

Azure: Uses Azure CLI interactive authentication Terraform Cloud: May need to add TF_CLOUD_TOKEN

---

Loading Secrets in Different Contexts

From Bash Scripts

#!/bin/bash
cd /Volumes/HOLE-RAID-DRIVE/dotenvx
SECRET=$(dotenvx get SECRET_NAME)
export SECRET

From Terraform Variables

export TF_VAR_my_secret=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get MY_SECRET)
terraform plan

From Node.js/TypeScript

import { exec } from 'child_process';
import { promisify } from 'util';
const execAsync = promisify(exec);

async function getSecret(name: string): Promise<string> {
  const { stdout } = await execAsync(
    `cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get ${name}`
  );
  return stdout.trim();
}

const token = await getSecret('CLOUDFLARE_API_TOKEN');

From Python

import subprocess

def get_secret(name):
    result = subprocess.run(
        ['dotenvx', 'get', name],
        cwd='/Volumes/HOLE-RAID-DRIVE/dotenvx',
        capture_output=True,
        text=True
    )
    return result.stdout.strip()

token = get_secret('CLOUDFLARE_API_TOKEN')

---

Terraform Cloud Variables (Alternative)

Instead of loading from dotenvx every time, secrets can be stored in Terraform Cloud workspace variables.

Setting Workspace Variables

Via Terraform Cloud UI:

1. Go to workspace settings
2. Add variable (mark as sensitive)
3. Save

Via API (using script):

cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation
export TF_CLOUD_TOKEN="your-token"
./set-tf-cloud-vars.sh "$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get CLOUDFLARE_API_TOKEN)"

Benefit: No need to load secrets locally Drawback: Secrets exist in two places (dotenvx + TF Cloud)

Recommendation: Use dotenvx + wrapper scripts (single source of truth)

---

Secret Rotation Procedures

Rotate Cloudflare API Token

1. Create new token:

• Cloudflare Dashboard → My Profile → API Tokens
• Create token with same permissions

2. Update dotenvx:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx set CLOUDFLARE_API_TOKEN "new-token-here"

3. Test:

cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation
./tf-with-dotenvx.sh plan

4. Revoke old token in Cloudflare Dashboard

5. Update audit log:

echo "$(date): Rotated CLOUDFLARE_API_TOKEN" >> /Volumes/HOLE-RAID-DRIVE/dotenvx/docs/AUDIT_LOG.md

Rotate AWS Credentials

1. Create new access key:

• AWS Console → IAM → Users → Security credentials
• Create access key

2. Update dotenvx:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx set AWS_ACCESS_KEY_ID "new-key-id"
dotenvx set AWS_SECRET_ACCESS_KEY "new-secret-key"

3. Test:

export AWS_ACCESS_KEY_ID=$(dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(dotenvx get AWS_SECRET_ACCESS_KEY)
aws sts get-caller-identity

4. Deactivate old key in AWS Console

5. Update audit log

Azure Re-authentication

Azure doesn't use dotenvx - re-authenticate via Azure CLI:

az logout
az login
az account set --subscription "de602062-dafa-4c8b-91b7-98a75bcd7cff"

Token stored by: Azure CLI (~/.azure/)

---

Wrapper Scripts

Cloudflare: tf-with-dotenvx.sh

Location: terraform/cloudflare/foundation/tf-with-dotenvx.sh

What it does:

1. Loads CLOUDFLARE_API_TOKEN from dotenvx
2. Exports CF_API_TOKEN and TF_VAR_cloudflare_api_token
3. Runs Terraform command

Usage:

./tf-with-dotenvx.sh plan
./tf-with-dotenvx.sh apply
./tf-with-dotenvx.sh state list

AWS: Create Similar Wrapper (Recommended)

Could create: terraform/aws/foundation/tf-with-dotenvx.sh

#!/bin/bash
export AWS_ACCESS_KEY_ID=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_SECRET_ACCESS_KEY)
export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"
terraform "$@"

Benefits: Same UX as Cloudflare wrapper

---

Secret Security Rules

Critical Rules

1. NEVER commit secrets to version control

   • Add *.tfvars to .gitignore
   • Add .env* to .gitignore
   • Review git history before pushing

2. NEVER echo secrets in scripts

   # ❌ WRONG
   echo "Token: $SECRET"
   
   # ✅ CORRECT
   echo "Token loaded (${#SECRET} chars)"
   

3. NEVER store in plaintext outside dotenvx

   • Not in Terraform files
   • Not in scripts
   • Not in documentation

4. ALWAYS use environment variables for Terraform

   # ✅ CORRECT
   export TF_VAR_api_token="$(dotenvx get TOKEN)"
   
   # ❌ WRONG
   # Hardcoding in .tfvars file
   

5. ALWAYS audit secret access

   • Update audit log when retrieving secrets
   • Document rotation in audit log
   • Review audit log monthly

---

Troubleshooting

Secret Not Found

Error: "Secret not found" when running dotenvx get

Solutions:

# 1. List all secrets
cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx get --all

# 2. Check secret name (case-sensitive)
# Use exact name from list

# 3. Add secret if missing
dotenvx set SECRET_NAME "value"

Terraform Can't Authenticate

Cloudflare:

# Verify token loaded
echo "CF_API_TOKEN length: ${#CF_API_TOKEN}"
echo "TF_VAR length: ${#TF_VAR_cloudflare_api_token}"
# Both should be 40

# Reload if needed
export CF_API_TOKEN=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get CLOUDFLARE_API_TOKEN)
export TF_VAR_cloudflare_api_token="$CF_API_TOKEN"

AWS:

# Test credentials
aws sts get-caller-identity

# Should return account 420073135340

Azure:

# Verify authentication
az account show

# Should show subscription de602062...

Permission Denied Errors

Check:

1. Correct account/subscription selected?
2. Secrets are current (not revoked)?
3. IAM permissions sufficient?

Azure-specific:

# Switch subscription
az account set --subscription "de602062-dafa-4c8b-91b7-98a75bcd7cff"

---

Multi-Cloud Secret Management Example

Complete Multi-Provider Deployment

#!/bin/bash
# Deploy across Cloudflare and AWS

set -e

echo "Loading secrets from dotenvx..."
cd /Volumes/HOLE-RAID-DRIVE/dotenvx

# Cloudflare
export CF_API_TOKEN=$(dotenvx get CLOUDFLARE_API_TOKEN)
export TF_VAR_cloudflare_api_token="$CF_API_TOKEN"

# AWS
export AWS_ACCESS_KEY_ID=$(dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(dotenvx get AWS_SECRET_ACCESS_KEY)
export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

echo "✓ All secrets loaded"

# Deploy to AWS
echo "Deploying AWS infrastructure..."
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/aws/foundation
terraform apply -auto-approve

# Deploy to Cloudflare
echo "Deploying Cloudflare infrastructure..."
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation
./tf-with-dotenvx.sh apply -auto-approve

echo "✓ Multi-cloud deployment complete!"

---

Quick Reference

Secret Locations

Provider	Secret	Command
Cloudflare	CLOUDFLARE_API_TOKEN	dotenvx get CLOUDFLARE_API_TOKEN
AWS	AWS_ACCESS_KEY_ID	dotenvx get AWS_ACCESS_KEY_ID
AWS	AWS_SECRET_ACCESS_KEY	dotenvx get AWS_SECRET_ACCESS_KEY
Azure	N/A	az account show
Terraform Cloud	TF_CLOUD_TOKEN	dotenvx get TF_CLOUD_TOKEN (TBD)

Wrapper Scripts

Provider	Script	Location
Cloudflare	tf-with-dotenvx.sh	terraform/cloudflare/foundation/
AWS	None (create one?)	terraform/aws/foundation/
Azure	None (uses az CLI)	terraform/production/

dotenvx Location

Path: /Volumes/HOLE-RAID-DRIVE/dotenvx

Key Files:

• .env - Encrypted secrets
• .env.keys - Encryption keys (NEVER commit)
• docs/AUDIT_LOG.md - Secret change history
• README.md - Complete dotenvx documentation

---

Integration Notes

Terraform Cloud Variables (Optional)

Alternative to dotenvx: Store secrets directly in Terraform Cloud workspace variables.

Pros:

• No local secret loading needed
• Centralized in TF Cloud
• Team access control

Cons:

• Secrets in two places (dotenvx + TF Cloud)
• More complex rotation
• Less flexible for non-Terraform tools

Recommendation: Use dotenvx + wrapper scripts (current approach) for consistency.

---

Version History

• 1.0.0 (2026-01-09) - Initial secret management skill
  • dotenvx integration for all providers
  • Wrapper script patterns documented
  • Provider-specific secret loading procedures
  • Rotation and security procedures