sensitive-data-in-local-value

Ensure no secrets are hard-coded in Terraform locals

Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:

• environment variables, and using tfvars files
• remote backends, such as a Consol
• encryption on commit, such as git-crypt
• encrypting state files using terrahelp

In this particular case, you have a suspiciously named variable defined in a locals section. The naming of the variable indicates that it could contain sensitive credentials.

The variable names that trigger this alert are:

• password
• secret
• private_key
• aws_access_key_id
• aws_secret_key
• token
• api_key

Insecure Example

locals {
  service_name = "my-service"
  api_key      = "some_api_key"
}

Secure Example

locals {
  service_name = "my-service"
  api_key      = var.api_key    # (reference a variable or data source)
}

More information

• Github Discussion on storing sensitive data in terraform
• Terraform Backends
• Terraform Locals
• Terraform State Storage
• Terraform Variables