exam questions

Exam Terraform Associate All Questions

View all questions & answers for the Terraform Associate exam

Exam Terraform Associate topic 1 question 171 discussion

Actual exam question from HashiCorp's Terraform Associate
Question #: 171
Topic #: 1
[All Terraform Associate Questions]

Which provider authentication method prevents credentials from being stored in the state file?

  • A. Using environment variables
  • B. Specifying the login credentials in the provider block
  • C. Setting credentials as Terraform variables
  • D. None of the above
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Jayanth
Highly Voted 1 year, 5 months ago
D is the right answer. I tested in my local machine to create Sql server with 2 environment vaiables $env:TF_VAR_sql_admin = "username" and $env:TF_VAR_sql_password = "sqldbpassword" Also created the SQL Server with Terraform which accesses env variable during execution. BUT FOUND MY SENSITIVE ENVIRONMENT VARIABLE VALUES ARE STILL LISTED IN THE "STATE FILE" so answer should be "D"
upvoted 6 times
gerardjongh
4 months, 3 weeks ago
That is because you are referring to a secret tied to a resource which will eventually always end up in the state file. The question is about secrets for provider authentication so to sign in to Azure for example. This will not end up in the state file when using environment variable hence: The correct anwser is A.
upvoted 2 times
...
...
azizbaghirov
Most Recent 1 month, 1 week ago
Selected Answer: D
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.40" } } required_version = ">= 1.3.6" } provider "aws" { region = "us-east-2" access_key = "MY AWS ACCESS KEY" secret_key = "MY AWS SECRET KEY" } I provided the credentials directly in the provider block, then after apply the state file does not contain any information about these secrets.
upvoted 1 times
...
anand0310
3 months, 4 weeks ago
Selected Answer: D
D is correct, I just tried this in terraform and found that provider credentials are not stored in state file. The key here is provider credentials not other sensitive values.
upvoted 1 times
RealPro111
3 months, 2 weeks ago
So it should be A then? The question asks provider auth, and provider auth is by provider creds, which are then not stored in the state file when done via env vars..
upvoted 2 times
...
...
dzhang344
6 months, 1 week ago
Selected Answer: A
When you use environment variables to store credentials, Terraform does not include these credentials in the state file. Environment variables are read at runtime, which means they are not persisted in the configuration files or the state file.
upvoted 3 times
...
abobeida94
7 months, 3 weeks ago
Selected Answer: A
Answer is A 100%: Using environment variables We already use Terraform this way: Bash export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY" export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY" Terraform provider "aws" { access_key = "YOUR_ACCESS_KEY" secret_key = "YOUR_SECRET_KEY" }
upvoted 2 times
...
mattuyghur
10 months, 2 weeks ago
Selected Answer: A
Using environment variables
upvoted 1 times
...
Bere
11 months, 1 week ago
Selected Answer: D
1. Code example: ... resource "azurerm_sql_server" "example" { name = "example-sqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = var.sql_admin_username administrator_login_password = var.sql_admin_password } variable "sql_admin_username" {} variable "sql_admin_password" {} ... 2. Set env variables: export TF_VAR_sql_admin_username="adminuser" export TF_VAR_sql_admin_password="SuperSecretPassword" 3. terraform init 4. terraform apply 5. After applying, if you inspect the state file (terraform.tfstate), you will find that it contains the administrator login and password.
upvoted 1 times
...
frees
1 year ago
Selected Answer: D
Terraform Enterprise and Terraform Cloud credentials are not stored in Terraform state or the CI/CD platform. Therefore, the correct answer to your question is D. None of the above.
upvoted 1 times
AndreiWebNet
11 months, 1 week ago
It doesn't say anything about Terraform Enterprise or Terraform Cloud. Its something you assumed. . .
upvoted 3 times
...
...
Ramdi1
1 year, 1 month ago
Selected Answer: A
nswer: using environment variables The only method list above that will not result in the username/password being written to the state file is environment variables. All of the other options will result in the provider's credentials in the state file. Terraform runs will receive the full text of sensitive variables, and might print the value in logs and state files if the configuration pipes the value through to an output or a resource parameter. Additionally, Sentinel mocks downloaded from runs will contain the sensitive values of Terraform (but not environment) variables. Take care when writing your configurations to avoid unnecessary credential disclosure. Whenever possible, use environment variables since these cannot end up in state files or in Sentinel mocks. (Environment variables can end up in log files if TF_LOG is set to TRACE.)
upvoted 1 times
...
akm_1010
1 year, 4 months ago
Selected Answer: D
All secrets will end up in statefile.
upvoted 1 times
Alandt
11 months, 1 week ago
Your answer is right, but your explanation is not.
upvoted 1 times
...
Alandt
11 months, 1 week ago
Wrong. In terraform, are environment variables stored in state file? ChatGPT No, environment variables are not stored in the Terraform state file. The state file contains information about resources, not configuration values. Use environment variables or other secure methods to pass sensitive information during Terraform execution.
upvoted 2 times
...
...
Rajmane
1 year, 4 months ago
Selected Answer: D
It's D only currently there is no way to prevent it
upvoted 2 times
...
Ha_Baruh_Architect13
1 year, 5 months ago
nothign prevents this, only thing is we can encrytp answer is D
upvoted 3 times
...
VSMu
1 year, 5 months ago
Selected Answer: D
Refer: https://developer.hashicorp.com/terraform/language/values/variables Setting a variable as sensitive prevents Terraform from showing its value in the plan or apply output, when you use that variable elsewhere in your configuration. Terraform will still record sensitive values in the state, and so anyone who can access the state data will have access to the sensitive values in cleartext. For more information, see Sensitive Data in State.
upvoted 2 times
...
[Removed]
1 year, 6 months ago
Selected Answer: A
The answer is A. Using environment variables. Here is an example of how to use environment variables to provide authentication credentials for an AWS provider: provider "aws" { region = var.aws_region access_key_id = var.aws_access_key_id secret_access_key = var.aws_secret_access_key }
upvoted 1 times
...
Jhaggar
1 year, 7 months ago
Selected Answer: D
No, environment variables are not safe to store credentials in the state file of Terraform. Environment variables can be accessed by any process running on the same machine, including potentially malicious processes. It's important to use a secure method of storing credentials, such as using a secrets manager or key vault. Additionally, it's important to ensure that the state file itself is properly secured, either by encrypting it or by storing it in a secure location.
upvoted 2 times
...
OMERKENT
1 year, 7 months ago
I think correct answer is A. I have checked in my remote state file sitting in Azure storage account. (I used Azure DevOps environment variables) secret files are not visible in the state file.
upvoted 2 times
...
zanhsieh
1 year, 7 months ago
Selected Answer: A
Opt A. If you look into official terraform provider documentation, including terraform enterprise, all providers point to "Dynamic Provider Credentials". This workflow generally exposes a temporary OIDC compliment token as environment variable and authenticated by cloud providers. So I would say the straight forward answer would be environment variables.
upvoted 3 times
zanhsieh
1 year, 7 months ago
https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago