What is the primary purpose of marking a variable as sensitive = true in Terraform?
Think about what happens when Terraform shows outputs during execution.
Marking a variable as sensitive hides its value from Terraform's output logs and plan/apply outputs to avoid accidental exposure. It does not encrypt the state file or restrict usage.
Which Terraform variable declaration correctly marks the variable db_password as sensitive?
Check the exact attribute name Terraform uses for marking variables as sensitive.
The correct attribute is sensitive = true. Other attribute names like secret, hidden, or secure are invalid and cause errors.
Given this Terraform output block:
output "db_password" {
value = var.db_password
sensitive = true
}What will happen when you run terraform apply?
Consider how Terraform treats outputs marked as sensitive during apply.
Outputs marked as sensitive are hidden from CLI output after apply to avoid exposing secrets. The state file still contains the value unencrypted.
Which statement about sensitive variables and Terraform state files is true?
Think about what Terraform does with sensitive data internally.
Terraform stores sensitive variables in the state file in plain text by default. To protect them, you must use backend encryption or external secrets management.
You want to manage sensitive variables like API keys securely in Terraform for a team project. Which approach is the best practice?
Consider how to avoid exposing secrets in code and state files.
Best practice is to avoid storing secrets in code or state files. Using environment variables or external secrets managers keeps sensitive data out of version control and reduces exposure risk.