Home > front end >  terraform storing sensitive data in state file
terraform storing sensitive data in state file

Time:10-22

I am using variables with sensitivity true, even though, state file stores id and password. Any how to avoid it?

variable "rs_master_pass" {
  type = string
  sensitive = true
}

In state file,

 "master_password": 'password'

Even though, taking out from state manually, comes back in each apply.

CodePudding user response:

There is no "easy" way to avoid that. You must simply not hard-code the values in your TF files. Setting sensitive = true does not protect against having the secrets in plain text as you noticed.

The general ways for properly handling secrets in TF are:

  • use specialized, external vaults, such as Terraform Vault, AWS Parameter Store or AWS Secret Manger. They have to be set separately as to again not having their secrets available in TF state file.
  • use local-exec to setup the secrets outside of TF. Whatever you do in local-exec does not get stored in TF state file. This often is done to change dummy secrets that may be required in your TF code (e.g. RDS password) to the actual values outside of TF knowledge.
  • if the above solutions are not accessible, then you have to protect your state file (its good practice anyway). This is often done by storing it remotely in S3 under strict access policies.

Page link:https//www.codepudding.com/frontend/162771.html

Prev:AWS ECR layer already exists when pushing a updated docker version
Next:Module not found for lambda layer (AWS, JavaScript)
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding