It's D
We can use providers to supply variable values (vault for example).
We can provide input variable value in parameter for apply command.
We can use environment variables.
HashiCorp is not mentioning anything about secure strings.
Reference:
https://www.terraform.io/language/values/variables
Terraform does not have a built-in concept of a "secure string". This means that you cannot use the secure_string keyword to define a secret in your Terraform configuration file.
Link below recommends the three options.
A. e.g. Vault
B. e.g. export TF_VAR_db_username=admin TF_VAR_db_password=adifferentpassword
C. -var-file="secret.tfvars"
https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
A. A Terraform provider
A Terraform provider is not typically used to keep secrets out of Terraform configuration files. Instead, environment variables, the -var flag, and secure strings are common methods used to manage secrets securely in Terraform.
Answer is: A. Terraform provider
It says: to Hide secrets and not include secrets.
Here's why the other options are suitable for hiding secrets:
B. Environment variables: Environment variables store sensitive information outside of Terraform code, and Terraform can access them during execution.
C. A -var flag: The -var flag allows passing secrets as command-line arguments when running terraform apply or other commands. These arguments aren't stored in the configuration files.
D. Secure string: Some Terraform providers (like AWS) offer functionality to store secrets securely within the provider itself (e.g., AWS Secrets Manager). This keeps them out of the configuration files.
D is correct.. In Terraform, the term "secure string" isn't a specific built-in type or feature by that name. However, the concept of treating certain strings as "secure" or sensitive is indeed present in Terraform, particularly through the use of the sensitive attribute for variables and outputs. When we refer to a "secure string" in the context of Terraform, it's generally about handling sensitive values such as passwords, secret keys, or any confidential data that should not be exposed in logs or CLI output.
Here's how you can declare a variable as sensitive:
variable "api_secret_key" {
type = string
sensitive = true
}
I will go for A.
All other options are to keep secrets out of Terraform configuration files, you typically use environment variables, a -var flag, or secure string variables.
Bad answers for this question.
Definitely you cannot use a terraform provider to keep secrets out of your terraform configuration.
Even if you use Vault, you must provide the Vault itself secrets and or you save to a file, in an environment variable, or within the provider itself. So "A" is wrong.
The issue is that "D" is also wrong.
A and D should be the answers for this question in my opinion.
Answer is D.
A. Terraform Provider: You can use sensitive variables in Terraform Cloud (below link) or other secrets management solutions (e.g. AWS Secrets Manager).
Sensitive variables / sensitive values is described here:
https://developer.hashicorp.com/terraform/cloud-docs/workspaces/variables/managing-variables#sensitive-values
B. Environment Variables: You can use environment variables. Terraform will read environment variables that start with TF_VAR_, followed by the name of a declared variable in your configuration.
C. -var flag: You can use the -var command line flag. This is useful for setting sensitive data that should not be stored in your configuration.
e.g. terraform apply -var 'db_password=My$ecretP@ssw0rd'
D. "secure string" is not a valid option for keeping secrets out of Terraform configuration files. The term "secure string" is not a recognized or standard feature in Terraform.
Answer is A
A Terraform provider is a software library that allows Terraform to interact with a particular cloud provider or other infrastructure service. Terraform providers do not have the ability to store secrets, so they cannot be used to keep secrets out of Terraform configuration files.
A is incorrect,
A provider can also declare an attribute as sensitive, which will cause Terraform to hide it from regular output regardless of how you assign it a value.
Ref. https://developer.hashicorp.com/terraform/language/values/variables
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
hip9k
Highly Voted 2 years, 3 months ago[Removed]
1 year, 5 months agostalk98
Highly Voted 2 years, 5 months ago__Moritz__
Most Recent 3 months, 2 weeks agoCryptoShade
7 months, 1 week agoFelienator
7 months, 1 week agoBolgarwow
7 months, 4 weeks agovibzr2023
7 months, 4 weeks agoimkhan
1 year agogofavad926
1 year, 1 month agoPradh
1 year, 1 month agoSpandrop
1 year, 2 months agoBtotheJ
1 year, 3 months agoBere
1 year, 3 months agoJlee7
1 year, 5 months agoMarch2023
1 year, 5 months agomilan92stankovic
1 year, 5 months agomememu
1 year, 6 months ago