Skip to content


Ensure no secrets are hard-coded in Terraform locals

Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:

  • environment variables, and using tfvars files
  • remote backends, such as a Consol
  • encryption on commit, such as git-crypt
  • encrypting state files using terrahelp

In this particular case, you have a suspiciously named variable defined in a locals section. The naming of the variable indicates that it could contain sensitive credentials.

The variable names that trigger this alert are:

  • password
  • secret
  • private_key
  • aws_access_key_id
  • aws_secret_key
  • token
  • api_key

Insecure Example

locals {
  service_name = "my-service"
  api_key      = "some_api_key"

Secure Example

locals {
  service_name = "my-service"
  api_key      = var.api_key    # (reference a variable or data source)

More information