Terraform + GitHub Actions + 30+ secrets -> is Vault actually the right solution here?
I have a fairly large Terraform setup that manages servers + DNS and almost all related configuration: Docker setups, service configs, JSON/YAML files, secrets, etc. Server images are built with Packer. Deployments run exclusively through GitHub Actions, and Terraform state is stored in PostgreSQL.
Right now, I pass all secrets through GitHub Actions Secrets and inject them into Terraform variables. It works technically, but it increasingly feels like the wrong approach — I’m now at around 30 secrets just for the pipeline.
I’m trying to understand whether HashiCorp Vault is actually the right solution here or whether I’d just be adding unnecessary complexity. Most Vault explanations feel very abstract to me. What I’m really looking for is a pragmatic setup for:
centralized secret management
secure usage in GitHub Actions
clean Terraform integration
avoiding secret sprawl
scaling cleanly across many services/hosts
How are people handling this in larger Terraform environments? Are you using Vault, 1Password, SOPS, cloud secret managers, or something else entirely? And at what point does Vault actually become worth it?
EDIT: Servers and most stuff powered on Hetzner. Other providers that are used: Cloudflare (public DNS), cloudinit (server setups to configure everything possible like installs and configurations) and Twingate (ZTNA)