sensitive-data-in-block-attribute¶
Ensure no sensitive secrets are hard coded in Terraform resources
Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:
- environment variables, and using tfvars files
- remote backends, such as a Consol
- encryption on commit, such as git-crypt
- encrypting state files using terrahelp
Additionally, each cloud provider provides some form of encryped Key Store which may be used to store sensitive credentials. These may often be used within Terraform as "data sources". For instance, AWS has Parameter Store or Secrets Manager and Azure has Key Vault.
Insecure Example
resource "aws_db_instance" "default" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql5.7"
}
Secure Example
data "aws_ssm_parameter" "password" {
name = "foo"
}
resource "aws_db_instance" "default" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = data.aws_ssm_parameter.password.value
parameter_group_name = "default.mysql5.7"
}
More information