What is the recommended way to manage sensitive data like database passwords in Terraform?

  1. Store them in plaintext in terraform.tfvars
  2. Environment variables alone without any backend security
  3. Hardcode them directly in configuration files
  4. Store them in Terraform variables and use remote backends with encryption ✓

Correct answer: Store them in Terraform variables and use remote backends with encryption

Option D is correct because the recommended Terraform practice for sensitive data is to pass it through input variables (avoiding hardcoding) and store state in a remote backend such as Terraform Cloud, AWS S3 with server-side encryption, or Azure Blob Storage with encryption, ensuring secrets are never exposed in plain text in version control or local state files. Option A is wrong because storing secrets in plaintext in terraform.tfvars and committing that file to source control exposes credentials to anyone with repository access. Option B is wrong because environment variables alone do not protect the sensitive value once it is written into Terraform state, which can expose it unless the backend itself is encrypted. Option C is wrong because hardcoding secrets directly in configuration files is the most dangerous anti-pattern, embedding credentials in version-controlled code permanently.

Topic: · terraform, secrets management, remote backend, infrastructure as code

Practice HashiCorp Terraform Associate (003) Questions Free