• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    SDKv2

  • Overview
  • Tutorials: Custom Providers
    • Overview
    • Schema Types
    • Schema Behaviors
    • Schema Methods
    • Overview
    • Customizing Differences
    • Import
    • Retries and Customizable Timeouts
    • State Migration
  • Debugging Providers
    • Compatibility with Terraform 0.12
    • Switching to the standalone SDK
    • v2 Upgrade Guide
    • Overview
    • Naming
    • Depending on Providers
    • Deprecations, Removals, and Renames
    • Detecting Drift
    • Handling Sensitive Data
    • Testing Patterns
    • Versioning and Changelog
    • Writing Non-Go Providers
    • Overview
      • Overview
      • Test Cases
      • Test Steps
      • Sweepers
    • Testing API
    • Testing Patterns
    • Unit Testing
  • Other Plugin Docs

  • Plugin Development
  • Framework
  • Logging
  • Combining and Translating
Type '/' to Search

»Handling Sensitive Values in State

Many organizations use Terraform to manage their entire infrastructure, and it's inevitable that sensitive information will find its way into Terraform in these circumstances. There are a couple of recommended approaches for managing sensitive state in Terraform.

»Using the Sensitive Flag

When working with a field that contains information likely to be considered sensitive, it is best to set the Sensitive property on its schema to true. This will prevent the field's values from showing up in CLI output and in Terraform Cloud. It will not encrypt or obscure the value in the state, however.

»Don't Encrypt State

One experiment that has been attempted is allowing the user to provide a PGP key and a cipher text, and decrypting the value in the provider code before using it, storing only the cipher text in state. Another variation on this approach was providing a PGP key that data from an API would be encrypted with before being set in state, with nothing being set in the config.

Both of these approaches are discouraged and will be removed from the HashiCorp-supported providers over time. This strategy was tailored to a time when Terraform's state had to be stored in cleartext on any machine running terraform apply, and was meant to provide a bit of security in that scenario. With the introduction and use of remote backends and especially the availability of Terraform Cloud, there are now a variety of backends that will encrypt state at rest and will not store the state in cleartext on machines running terraform apply. This means the original problem the PGP key pattern was intended to solve has a better-supported solution, and we're deprecating it in favor of that solution.

Even without comparing it to full state encryption, PGP key encryption has major drawbacks. Values encrypted with a PGP key can't be reliably interpolated, Terraform isn't built to provide a good user experience around a missing PGP key right now, and the approach needs serious modification to not violate protocol requirements for Terraform 0.12 and into the future.

In light of these shortcomings, the encouraged solution at this time is to use a state backend that supports operations and encryption, and for users whose security needs cannot be met by that strategy to weigh in on the issue about this to help outline the gaps in this strategy, so appropriate solutions can be designed for them.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager