sensitive-data-in-default-variable¶
Ensure no sensitive secrets are present in Terraform variable defaults
Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:
- environment variables, and using tfvars files
- remote backends, such as a Consol
- encryption on commit, such as git-crypt
- encrypting state files using terrahelp
Insecure Example
variable "password" {
description = "Password for the user"
type = string
default = "admin"
}
Secure Example
variable "password" {
description = "Password for the user"
type = string
default = null
}
More information