Terraform Associate Exam - Question 102

It's B The sensitive flag only prevents secret from showing up in the CLI outputs, but the value itself is still present in the configuration files.

It's B. I think ChatGPT gets confused with this question, and people end up posting its response here. A. Environment Variables - keeps the value out of configuration and state B. Mark the variable as sensitive - the value is still in the configuration and state, but not in the console output C. A Terraform provider - keeps the value out of configuration, but not the state (like a provider's data resource) D. A -var flag - keeps the value out of configuration, but not the state

We can mark the variable as sensitive and then pass the actual credentials using the --var tag. That would keep the secret outside the configuration file.

Question is "cannot be used" , marking sensitive only prevent the information from being displayed, however the screts are to be store in the configurtaion

https://www.linode.com/docs/guides/secrets-management-with-terraform/ This article shows the answer

Answer is C. A. Environment variables: You can use environment variables to provide values for variables used in your Terraform configuration files. This way, sensitive data can be stored outside the configuration files and not committed to version control. B. Mark the variable as sensitive: You can mark a variable as sensitive in your Terraform configuration file by setting the sensitive argument to true. This will prevent the variable from being displayed in the output of the terraform plan and terraform apply commands. D. A -var flag: You can provide variable values at the command line using the -var flag when running the terraform plan and terraform apply commands. This way, you can pass sensitive data to Terraform without having to store it in configuration files.

C. A Terraform provider: Terraform providers are plugins that are responsible for managing the lifecycle of resources. They don't inherently offer a mechanism to keep secrets out of Terraform configuration files.

I think the correct answer is B. Even if you mark it as sensible, it will still be in the configuration file.

A Terraform provider is not a method that can be used to keep secrets out of your configuration files. A Terraform provider is a plugin that allows Terraform to interact with a specific service or infrastructure platform, such as AWS or Google Cloud. It is not a mechanism for storing or securing secrets.

I found all options which are mentioned in below link by terrraform to hide secrets from user: Except cloud provider option so I believe answer should So the answer should be C https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables

C. A Terraform provider. Terraform providers are used to interact with specific cloud providers or other APIs. They do not have the ability to access or store secrets. The other options, environment variables, marking the variable as sensitive, and the -var flag, can all be used to keep secrets out of Terraform configuration files. Environment variables are a common way to pass secrets to Terraform. They are stored outside of the Terraform configuration files, so they are not visible to anyone who can read the Terraform code. Marking the variable as sensitive tells Terraform to encrypt the variable value when it is stored in the state file. This helps to protect the secret value from being exposed. The -var flag can be used to pass secret values to Terraform from the command line. This is useful for one-off operations, but it is not a recommended way to manage secrets.

You cannot use a provider in this case.

If you mark as sensitive , the variable will not be displayed on run time i.e. if it's an output. However it will still be in the state file and the config. So B I think.

Making a var as sensitive in the file, doesn't remove it from the config, only restricts the output of that variable. I believe for these answer options D to be the choice.

How can a terraform provider keep secrets out of Terraform configuration files?

A -var flag

Answer is B. Mark the variable as sensitive. A. Environment Variables: This method keeps secrets out of configuration files by setting them externally. B. Mark the variable as sensitive: While this marks the variable as sensitive in Terraform's state and prevents it from being displayed in CLI outputs, the secret can still be present in the configuration files and state file. C. A Terraform provider: This doesn't inherently store or hide secrets in configuration files. D. A -var flag: This method can be used to pass variables at runtime, thus keeping them out of configuration files.

I will go for B, for anyone thinking its C, there is a video in this official terraform documentation where a lady is explaining best practices of using provider vault, where we can set secrets to expire and hence the actual secrets are kept from getting revealed in the terraform state file. https://registry.terraform.io/providers/hashicorp/vault/latest/docs

I believe the answer is B. Marking variables as sensitive is not sufficient to secure them. You must also keep them secure while passing them into Terraform configuration, and protect them in your state file. https://learn.hashicorp.com/tutorials/terraform/sensitive-variables

Between B and C, I would go on B, because even with sensitive flag is for output as mentioned below. About C, terraform vault provider dies have a way to protect the secrets from config files: https://developer.hashicorp.com/terraform/tutorials/secrets/secrets-vault

C. A Terraform provider Terraform providers are used to interact with external resources such as cloud infrastructure, databases, and other services. They cannot be used to keep secrets out of Terraform configuration files. A. Environment Variables can be used to store sensitive data and reference it in the Terraform configuration file without hardcoding it. B. Mark the variable as sensitive in Terraform, this will prevent the value of the variable from being displayed in the CLI output and in the state file D. A -var flag can be used to pass variables values to the terraform command line at runtime, rather than hardcoding them in the configuration file.

C. A Terraform provider cannot be used to keep secrets out of Terraform configuration files.

B - Marking variables as sensitive is not sufficient to secure them. You must also keep them secure while passing them into Terraform configuration, and protect them in your state file. When you run Terraform commands with a local state file, Terraform stores the state as plain text, including variable values, even if you have flagged them as sensitive. Terraform needs to store these values in your state so that it can tell if you have changed them since the last time you applied your configuration. https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables

A Terraform provider. Environment variables, marking the variable as sensitive, and using the -var flag are all valid ways to keep secrets out of Terraform configuration files. A Terraform provider is used to connect Terraform to a cloud provider or other external services, and is not used to keep secrets out of configuration files.

B, mark as sensitive. The question es how we could pass vars from outside of hcl. Passing env vars is correct (ie TF_VAR_password). Using -var, the same and using Terraform provider (like vault provider) are three ways to set vars values within use the "default" value when declare variable inside of the tfvars file.

Option D, a -var flag, cannot be used to keep secrets out of Terraform configuration files. While environment variables can be used to store sensitive information and mark variables as sensitive to prevent them from being displayed in the output, and a Terraform provider can be used to retrieve sensitive data from an external source such as a secret management service like HashiCorp Vault or AWS Secrets Manager, a -var flag is typically used to pass variable values directly to the Terraform command line. Since command line flags can be visible to other users on the system, using a -var flag to pass secrets is not a secure method of storing sensitive information. Instead, it's recommended to use one of the other methods such as environment variables or a Terraform provider to keep secrets out of Terraform configuration files.

D. A -var flag cannot be used to keep secrets out of Terraform configuration files. The -var flag is used to pass variables to Terraform at runtime. It is typically used to pass variables from a script or command line to a Terraform module or configuration. However, the -var flag should not be used to pass sensitive information, as the value can be visible in the command history and other system logs.

tested

I vote for B

Try to understand the question, it is important : What is one method that cannot be utilized to prevent secrets from appearing in Terraform configuration files? What approach does not work to exclude confidential data from being included in Terraform config files? Which technique is not valid for keeping sensitive information out of the configs managed by Terraform? What is an invalid solution for ensuring private credentials do not get embedded in a Terraform configuration? Which choice is not viable for stopping secret keys and access tokens from being added to Terraform's setup files? What method fails to protect classified details from being inserted into the configuration code used by Terraform?

GPT: D. A -var flag Using the -var flag when running terraform apply or terraform plan from the command line requires you to specify variable values directly in the command, which could expose sensitive information in the command line history, system process list, or in logs. While the -var flag is a way to set variables in Terraform, it's not a recommended way to handle sensitive information due to the exposure risks associated with command line arguments.

Secret flag prevents showing up the value in CLI o/p

B Terraform documentation When you mark a variable as sensitive in Terraform, it does not keep the secrets out of the configuration files . Instead, it makes the variable write-only and prevents all users from viewing its value in the Terraform Cloud UI or reading it through the Variables API endpoint . Users with permission to read and write variables can set new values for sensitive variables, but you must delete and recreate the variable to edit its other attributes.

Using Option B we can keep secrets out of Terraform configuration files, but question asked which option "can not be used" ? so I suppose C (also chatgpt reply C)

D--VAR OPTION IS OUTSIDE .TF FILE. A-CAN BE SET IF YOU ARE USING TERRAFORM CLOUD B-CAN BE SET UNDER VARIABLE.TF FILE C-CAN BE SET UNDER PROVIDER BLOCK WHICH IS ALSO ONE OF THE .TF FILE ONLY -VAR FLAG IS OUTSIDE TERRAFROM, HENCE THIS IS CORRECT.

C refers to Vault, which is valid

Answer is B, this is because marking variable as sensitive is only to mask the value in the logs during tf apply. Programmer can always open the terraform file and view the value.