Skip to content

Latest commit

 

History

History
34 lines (23 loc) · 940 Bytes

general-secrets-sensitive-in-attribute.md

File metadata and controls

34 lines (23 loc) · 940 Bytes

Pattern: Potentially sensitive data stored in block attribute

Issue: -

Description

Sensitive attributes such as passwords and API tokens should not be available in your templates, especially in a plaintext form. You can declare variables to hold the secrets, assuming you can provide values for those variables in a secure fashion. Alternatively, you can store these secrets in a secure secret store, such as AWS KMS.

NOTE: It is also recommended to store your Terraform state in an encrypted form.

Resolution: Don't include sensitive data in blocks.

Examples

Example of incorrect code:

resource "evil_corp" "bad_example" {
	root_password = "p4ssw0rd"
}

Example of correct code:

variable "password" {
  description = "The root password for our VM"
  type        = string
}

resource "evil_corp" "good_example" {
	root_password = var.password
}