Why should secrets not be hard coded into Terraform code? (Choose two.)
A.
It makes the code less reusable.
B.
Terraform code is typically stored in version control, as well as copied to the systems from which it's run. Any of those may not have robust security mechanisms.
C.
The Terraform code is copied to the target resources to be applied locally and could expose secrets if a target resource is compromised.
D.
All passwords should be rotated on a quarterly basis.
Explanation:
A. It makes the code less reusable: Hard coding secrets means the Terraform code is tied to a specific environment or set of credentials. This makes it hard to reuse the code in different contexts or environments without modifying the secrets.
B. Terraform code is typically stored in version control, as well as copied to the systems from which it's run. Any of those may not have robust security mechanisms: Storing secrets directly in the Terraform code exposes those secrets to anyone who has access to the code. Furthermore, secrets may be logged in version control history, making them discoverable long after they've been removed or changed.
AB, Hardcoding secrets (like passwords) in Terraform is bad because:
Sharing Risk: If the code is shared or stored, anyone can see the secrets and misuse them.
Hard to Reuse: If you want to use the code somewhere else, you’d have to change the secrets every time.
Keeping secrets separate is safer and makes the code easier to use again.
I vote A and B, because C doesn't make sense. Why would the terraform code be copied to the target resources? For example, I provision an Azure Storage account using terraform. There's no point at which the terraform code ends up on that storage account.
B and C. My Terraform source code is in github repo, and when I use pipelines to run terraform, the source code gets downloaded in the CI/CD or build server or terraform server and access holder to this server could see them. The question terms this server as the target resource. Yes, hardcoding does make it less reusable, but there is a way around- using environment specific tfvars.
AB, I don't think a terraform code is copied to any place(local, backend, any modules etc.,) But, The values of the variables are rendered into the state file. where the key/secrets are exposed
B. Terraform code is typically stored in version control, as well as copied to the systems from which it's run. Any of those may not have robust security mechanisms. Storing secrets in plain text within code, especially if it's publicly accessible or shared, increases the risk of the secrets being compromised. If the code is stored in a version control system, it's important to ensure that the secrets are not accidentally exposed in the version history.
C. The Terraform code is copied to the target resources to be applied locally and could expose secrets if a target resource is compromised. If the Terraform code contains secrets, then those secrets will be copied to the target resources during the deployment process. If any of the target resources are compromised, the secrets may be exposed. It's important to keep secrets separate from the code and ensure that they are securely transmitted to the target resources when needed.
B. Terraform code is typically stored in version control, as well as copied to the systems from which it's run. Any of those may not have robust security mechanisms.
C. The Terraform code is copied to the target resources to be applied locally and could expose secrets if a target resource is compromised.
Storing secrets, such as passwords or API keys, directly in Terraform code is a bad practice for several reasons. Firstly, Terraform code is typically stored in version control, and it may be copied to multiple systems from which it's run, such as a developer's machine, a CI/CD pipeline, or a Terraform cloud workspace. Any of those systems may not have robust security mechanisms, and exposing secrets in code leaves them vulnerable to potential attacks. Secondly, the Terraform code is copied to the target resources to be applied locally, so any secrets in the code could be exposed if a target resource is compromised. Therefore, it is recommended to use a secrets management system, such as HashiCorp Vault or AWS Secrets Manager, to store and manage secrets outside of Terraform code.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
yaza
Highly Voted 2 years, 2 months agoyaza
2 years, 1 month agobrax404
Highly Voted 1 year, 1 month agomussha
Most Recent 3 weeks, 5 days ago090200f
4 months ago3cc17f1
1 year, 1 month agoAiwa23
1 year, 1 month agovvkgp
1 year, 3 months agojoyboy23
1 year, 4 months agoMarch2023
1 year, 5 months agoRajmane
1 year, 3 months agokiran15789
1 year, 6 months agoFarziWaliMarzi
1 year, 7 months agoStanislav4907
1 year, 7 months agojoyboy23
1 year, 4 months agoChinensis
1 year, 7 months agoNunyabiznes
1 year, 7 months agocamps
1 year, 7 months ago090200f
4 months agokhaled_razouk
1 year, 8 months agoDaro_
1 year, 10 months ago