It's B. I think ChatGPT gets confused with this question, and people end up posting its response here.
A. Environment Variables
- keeps the value out of configuration and state
B. Mark the variable as sensitive
- the value is still in the configuration and state, but not in the console output
C. A Terraform provider
- keeps the value out of configuration, but not the state (like a provider's data resource)
D. A -var flag
- keeps the value out of configuration, but not the state
Answer is B, this is because marking variable as sensitive is only to mask the value in the logs during tf apply. Programmer can always open the terraform file and view the value.
D--VAR OPTION IS OUTSIDE .TF FILE.
A-CAN BE SET IF YOU ARE USING TERRAFORM CLOUD
B-CAN BE SET UNDER VARIABLE.TF FILE
C-CAN BE SET UNDER PROVIDER BLOCK WHICH IS ALSO ONE OF THE .TF FILE
ONLY -VAR FLAG IS OUTSIDE TERRAFROM, HENCE THIS IS CORRECT.
Using Option B we can keep secrets out of Terraform configuration files, but question asked which option "can not be used" ? so I suppose C (also chatgpt reply C)
I will go for B, for anyone thinking its C, there is a video in this official terraform documentation where a lady is explaining best practices of using provider vault, where we can set secrets to expire and hence the actual secrets are kept from getting revealed in the terraform state file.
https://registry.terraform.io/providers/hashicorp/vault/latest/docs
Answer is B. Mark the variable as sensitive.
A. Environment Variables: This method keeps secrets out of configuration files by setting them externally.
B. Mark the variable as sensitive: While this marks the variable as sensitive in Terraform's state and prevents it from being displayed in CLI outputs, the secret can still be present in the configuration files and state file.
C. A Terraform provider: This doesn't inherently store or hide secrets in configuration files.
D. A -var flag: This method can be used to pass variables at runtime, thus keeping them out of configuration files.
B
Terraform documentation
When you mark a variable as sensitive in Terraform, it does not keep the secrets out of the configuration files . Instead, it makes the variable write-only and prevents all users from viewing its value in the Terraform Cloud UI or reading it through the Variables API endpoint . Users with permission to read and write variables can set new values for sensitive variables, but you must delete and recreate the variable to edit its other attributes.
C. A Terraform provider: Terraform providers are plugins that are responsible for managing the lifecycle of resources. They don't inherently offer a mechanism to keep secrets out of Terraform configuration files.
C. A Terraform provider.
Terraform providers are used to interact with specific cloud providers or other APIs. They do not have the ability to access or store secrets.
The other options, environment variables, marking the variable as sensitive, and the -var flag, can all be used to keep secrets out of Terraform configuration files.
Environment variables are a common way to pass secrets to Terraform. They are stored outside of the Terraform configuration files, so they are not visible to anyone who can read the Terraform code.
Marking the variable as sensitive tells Terraform to encrypt the variable value when it is stored in the state file. This helps to protect the secret value from being exposed.
The -var flag can be used to pass secret values to Terraform from the command line. This is useful for one-off operations, but it is not a recommended way to manage secrets.
GPT:
D. A -var flag
Using the -var flag when running terraform apply or terraform plan from the command line requires you to specify variable values directly in the command, which could expose sensitive information in the command line history, system process list, or in logs.
While the -var flag is a way to set variables in Terraform, it's not a recommended way to handle sensitive information due to the exposure risks associated with command line arguments.
But based on the question, "secrets out of Terraform configuration files" Yes it is in the CLI history, sys process list or in logs, but not the terraform configuration.
Try to understand the question, it is important :
What is one method that cannot be utilized to prevent secrets from appearing in Terraform configuration files?
What approach does not work to exclude confidential data from being included in Terraform config files?
Which technique is not valid for keeping sensitive information out of the configs managed by Terraform?
What is an invalid solution for ensuring private credentials do not get embedded in a Terraform configuration?
Which choice is not viable for stopping secret keys and access tokens from being added to Terraform's setup files?
What method fails to protect classified details from being inserted into the configuration code used by Terraform?
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rotimislaw
Highly Voted 1 year, 9 months agoChrisler
1 year, 2 months agoMauroSoli
1 year agoTyler2023
1 year agozaaath
Highly Voted 1 year, 7 months agozaaath
1 year, 7 months agopremnick
Most Recent 3 months, 4 weeks agoa54b16f
9 months, 3 weeks agovipulchoubisa
10 months, 2 weeks agojutove_mi
10 months, 3 weeks agoArshad011294
11 months, 2 weeks agoBere
12 months agoMisterR0B0T
1 year agobrax404
1 year, 1 month agodebabrata6983
1 year, 2 months agoBaburTurk
1 year, 3 months agoTyler2023
1 year agokudakk
1 year, 3 months agoChrisler
1 year, 2 months agoarunrkaushik
1 year, 3 months agomilan92stankovic
1 year, 5 months agosdm13168
1 year, 6 months agokiran15789
1 year, 6 months ago