Simple proof of concept, how to share some sensitive variables between terraform and ansible in a way that allows committing into git, while also being reasonably easy to decrypt, and used natively via ansible play.
Let's create some sensitive variables in ansible play, env-default-secure-vars.yml:
https://gist.github.com/0ec879dfad327ffd584852f2eddcc4ef
and encrypt this file using ansible-vault encrypt env-default-secure-vars.yml
Let's check if ansible can work wish encrypted vars, using playbook
https://gist.github.com/f9d35b6f63e7fb45188a96052c297b99
https://gist.github.com/f9fba49347df9c7aa2beeaad183e134b
Now let's see how can we consume in terraform the same data ?
Fortunately, we have built-in provider external, that allows consuming json feed returned by external program
https://gist.github.com/38318b50fe2c0c1fdaae1284dcbdbaa9
Let's write shell routine, that will return json representation of the encrypted vars.
https://gist.github.com/dcf8014dd4a51f68bf1b5ed8f2f84b0b
Checking if script works ...
https://gist.github.com/77bd4dcb838fd50669b026ace1c693c6
and now let's check with terraform play:
https://gist.github.com/6d13a434a05c82832f53960a54d32512
Seems it works. Looking very promising, but lets look into terraform.tfstate
https://gist.github.com/bac317ccd33033686c091511e85a3811
We see there our decrypted secure vars, so still be cautious, how you store it. Terraform has number of tickets around similar issues (hashicorp/terraform#4436) for a few years, but no good solution until now.
POC shows how you can share some of your provisioning variables with terraform and back (terraform can generate variables yml file). Might be suitable for some situations, although not the ideal.
Check out example at https://github.com/Voronenko/poc-terraform-ansible-bridge