How do you handle sensitive data in Terraform?

Question

Describe strategies to manage sensitive data like passwords or API keys in Terraform. Mention the use of environment variables, terraform.tfvars files, Vault integration, and the sensitive argument in variables or outputs. Explain how accidental exposure can be prevented during plan and apply phases.

Sarthak Varshney · Answer

Hello @CK_Nitin sir In Terraform, handling sensitive data like passwords, API keys, or secrets needs extra care. Here are a few ways I usually manage it: Environment Variables : I store sensitive values as environment variables and then use var. in my Terraform code. For example, I pass them using TF_VAR_ so they don’t get written into the code. terraform.tfvars or .tfvars.json : I sometimes use .tfvars files to keep variable values, but I make sure to never commit these files to Git. I add them to .gitignore . Marking variables as sensitive : When defining variables, I set sensitive = true in the variable block. This helps Terraform hide the value during plan and apply . Same for outputs—mark them as sensitive so they don’t get printed in the terminal. Using Vault : For more secure setups, I’ve integrated Terraform with HashiCorp Vault to pull secrets at runtime. It keeps everything safe and centralized. Preventing accidental exposure : Even with all this, I always double-check the plan output to make sure no sensitive values are getting printed. I also avoid putting secrets directly in the code or state files.

How do you handle sensitive data in Terraform?

Answers (1)