In Infrastructure as Code (IaC), why should sensitive information like passwords or API keys not be hardcoded directly in Terraform files?
Think about who can see the code and what happens if secrets are exposed.
Hardcoding secrets in Terraform files risks exposing them in places like version control systems or logs. This can lead to unauthorized access to cloud resources. Instead, secrets should be stored securely and injected at runtime.
Which method is the most secure way to handle sensitive values like passwords in Terraform configurations?
Consider how secrets can be kept out of code and safely injected during deployment.
Using environment variables or dedicated secret management services keeps secrets out of code and version control. Marking variables as sensitive in Terraform prevents them from being shown in logs.
Terraform stores state files to track infrastructure. What is the risk if these state files contain unencrypted sensitive data?
Think about who can access the state file and what information it contains.
State files often contain sensitive data in plain text. If not encrypted or access-controlled, anyone who can read the state file can steal secrets or modify infrastructure.
Which backend configuration best protects Terraform state files containing sensitive data?
Consider how to protect state files from unauthorized access and accidental loss.
Remote backends with encryption, strict access controls, and versioning protect state files from unauthorized access and accidental deletion, improving security.
Which practice most effectively prevents accidental exposure of secrets during Terraform development and deployment?
Think about how automation can help catch mistakes early.
Automated scanning tools detect secrets in code and state files before they are committed or deployed, reducing human error and accidental exposure.