sensitive-data-in-block-attribute

Ensure no sensitive secrets are hard coded in Terraform resources

Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:

• environment variables, and using tfvars files
• remote backends, such as a Consol
• encryption on commit, such as git-crypt
• encrypting state files using terrahelp

Additionally, each cloud provider provides some form of encryped Key Store which may be used to store sensitive credentials. These may often be used within Terraform as "data sources". For instance, AWS has Parameter Store or Secrets Manager and Azure has Key Vault.

Insecure Example

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
}

Secure Example

data "aws_ssm_parameter" "password" {
  name = "foo"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = data.aws_ssm_parameter.password.value
  parameter_group_name = "default.mysql5.7"
}

More information

• Github Discussion on storing sensitive data in terraform
• Terraform Backends
• Terraform Locals
• Terraform State Storage
• Terraform Variables