sensitive-data-in-default-variable

Ensure no sensitive secrets are present in Terraform variable defaults

Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:

• environment variables, and using tfvars files
• remote backends, such as a Consol
• encryption on commit, such as git-crypt
• encrypting state files using terrahelp

Insecure Example

variable "password" {
  description = "Password for the user"
  type        = string
  default     = "admin"
}

Secure Example

variable "password" {
  description = "Password for the user"
  type        = string
  default     = null
}

More information

• Github Discussion on storing sensitive data in terraform
• Terraform Backends
• Terraform Locals
• Terraform State Storage
• Terraform Variables