sensitive-data-in-local-value¶
Ensure no secrets are hard-coded in Terraform locals
Leaving hardcoded secrets in terraform is generally bad security practice. There are many ways to use passwords and other credentials safely, including:
- environment variables, and using tfvars files
- remote backends, such as a Consol
- encryption on commit, such as git-crypt
- encrypting state files using terrahelp
In this particular case, you have a suspiciously named variable defined in a locals section. The naming of the variable indicates that it could contain sensitive credentials.
The variable names that trigger this alert are:
- password
- secret
- private_key
- aws_access_key_id
- aws_secret_key
- token
- api_key
Insecure Example
locals {
service_name = "my-service"
api_key = "some_api_key"
}
Secure Example
locals {
service_name = "my-service"
api_key = var.api_key # (reference a variable or data source)
}
More information