Learn the safe methods to inject sensitive values into a Terraform Cloud workspace. Discover the best practices and avoid common pitfalls.
Table of Contents
Question
Which of the following is not considered a safe way to inject sensitive values into a Terraform Cloud workspace?
A. Edit the state file directly just before running terraform apply
B. Set the variable value on the command line with the -var flag
C. Write the value to a file and specify the file with the -var-file flag
Answer
C. Write the value to a file and specify the file with the -var-file flag
Explanation
A. Edit the state file directly just before running terraform apply
Editing the state file directly to inject sensitive values is not considered a safe practice in Terraform Cloud workspaces. The state file should be treated as a read-only artifact and modifying it manually can lead to inconsistencies and conflicts. Terraform relies on the state file to keep track of the current state of resources, and directly modifying it can cause Terraform to lose track of the actual state, potentially leading to unexpected behavior or data loss.
B. Set the variable value on the command line with the -var flag
Setting sensitive variable values on the command line using the -var flag is not recommended as a safe way to inject sensitive values into a Terraform Cloud workspace. Command-line arguments, including variable values, are often logged and may be visible to other users or processes running on the same system. This poses a security risk as sensitive information could be exposed inadvertently.
C. Write the value to a file and specify the file with the -var-file flag
Writing sensitive values to a file and specifying the file using the -var-file flag is considered a safer approach compared to the previous options. By storing sensitive values in a separate file, you can control access to that file and ensure it is not accidentally committed to version control or exposed in logs. However, it’s important to properly secure the file containing sensitive values and restrict access to it.
The recommended and safest way to inject sensitive values into a Terraform Cloud workspace is to use Terraform Cloud’s built-in sensitive variable functionality. Terraform Cloud provides a secure mechanism to store and manage sensitive values as environment variables within the workspace settings. These sensitive variables are encrypted at rest and are only decrypted during the execution of Terraform runs. This approach ensures that sensitive values are not exposed in logs, command-line arguments, or version control systems.
HashiCorp Certified: Terraform Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the HashiCorp Certified: Terraform Associate exam and earn HashiCorp Certified: Terraform Associate certification.