It's B The sensitive flag only prevents secret from showing up in the CLI outputs, but the value itself is still present in the configuration files.

It's B. I think ChatGPT gets confused with this question, and people end up posting its response here. A. Environment Variables - keeps the value out of configuration and state B. Mark the variable as sensitive - the value is still in the configuration and state, but not in the console output C. A Terraform provider - keeps the value out of configuration, but not the state (like a provider's data resource) D. A -var flag - keeps the value out of configuration, but not the state

C. A Terraform provider: Terraform providers are plugins that are responsible for managing the lifecycle of resources. They don't inherently offer a mechanism to keep secrets out of Terraform configuration files.

Answer is C. A. Environment variables: You can use environment variables to provide values for variables used in your Terraform configuration files. This way, sensitive data can be stored outside the configuration files and not committed to version control. B. Mark the variable as sensitive: You can mark a variable as sensitive in your Terraform configuration file by setting the sensitive argument to true. This will prevent the variable from being displayed in the output of the terraform plan and terraform apply commands. D. A -var flag: You can provide variable values at the command line using the -var flag when running the terraform plan and terraform apply commands. This way, you can pass sensitive data to Terraform without having to store it in configuration files.

I will go for B, for anyone thinking its C, there is a video in this official terraform documentation where a lady is explaining best practices of using provider vault, where we can set secrets to expire and hence the actual secrets are kept from getting revealed in the terraform state file. https://registry.terraform.io/providers/hashicorp/vault/latest/docs

Answer is B. Mark the variable as sensitive. A. Environment Variables: This method keeps secrets out of configuration files by setting them externally. B. Mark the variable as sensitive: While this marks the variable as sensitive in Terraform's state and prevents it from being displayed in CLI outputs, the secret can still be present in the configuration files and state file. C. A Terraform provider: This doesn't inherently store or hide secrets in configuration files. D. A -var flag: This method can be used to pass variables at runtime, thus keeping them out of configuration files.

C. A Terraform provider. Terraform providers are used to interact with specific cloud providers or other APIs. They do not have the ability to access or store secrets. The other options, environment variables, marking the variable as sensitive, and the -var flag, can all be used to keep secrets out of Terraform configuration files. Environment variables are a common way to pass secrets to Terraform. They are stored outside of the Terraform configuration files, so they are not visible to anyone who can read the Terraform code. Marking the variable as sensitive tells Terraform to encrypt the variable value when it is stored in the state file. This helps to protect the secret value from being exposed. The -var flag can be used to pass secret values to Terraform from the command line. This is useful for one-off operations, but it is not a recommended way to manage secrets.

A -var flag

C refers to Vault, which is valid

D--VAR OPTION IS OUTSIDE .TF FILE. A-CAN BE SET IF YOU ARE USING TERRAFORM CLOUD B-CAN BE SET UNDER VARIABLE.TF FILE C-CAN BE SET UNDER PROVIDER BLOCK WHICH IS ALSO ONE OF THE .TF FILE ONLY -VAR FLAG IS OUTSIDE TERRAFROM, HENCE THIS IS CORRECT.

Using Option B we can keep secrets out of Terraform configuration files, but question asked which option "can not be used" ? so I suppose C (also chatgpt reply C)

B Terraform documentation When you mark a variable as sensitive in Terraform, it does not keep the secrets out of the configuration files . Instead, it makes the variable write-only and prevents all users from viewing its value in the Terraform Cloud UI or reading it through the Variables API endpoint . Users with permission to read and write variables can set new values for sensitive variables, but you must delete and recreate the variable to edit its other attributes.

Secret flag prevents showing up the value in CLI o/p

GPT: D. A -var flag Using the -var flag when running terraform apply or terraform plan from the command line requires you to specify variable values directly in the command, which could expose sensitive information in the command line history, system process list, or in logs. While the -var flag is a way to set variables in Terraform, it's not a recommended way to handle sensitive information due to the exposure risks associated with command line arguments.

Try to understand the question, it is important : What is one method that cannot be utilized to prevent secrets from appearing in Terraform configuration files? What approach does not work to exclude confidential data from being included in Terraform config files? Which technique is not valid for keeping sensitive information out of the configs managed by Terraform? What is an invalid solution for ensuring private credentials do not get embedded in a Terraform configuration? Which choice is not viable for stopping secret keys and access tokens from being added to Terraform's setup files? What method fails to protect classified details from being inserted into the configuration code used by Terraform?

I vote for B

tested