Terraform Associate Exam - Question 171

D is the right answer. I tested in my local machine to create Sql server with 2 environment vaiables $env:TF_VAR_sql_admin = "username" and $env:TF_VAR_sql_password = "sqldbpassword" Also created the SQL Server with Terraform which accesses env variable during execution. BUT FOUND MY SENSITIVE ENVIRONMENT VARIABLE VALUES ARE STILL LISTED IN THE "STATE FILE" so answer should be "D"

A. Using environment variables. Using environment variables for provider authentication is a best practice that prevents credentials from being stored in the Terraform state file. When using environment variables, Terraform retrieves the credentials at runtime from the environment, rather than storing them in the state file. This provides an extra layer of security by ensuring that the credentials are not exposed in the state file or in version control. Additionally, using environment variables makes it easier to manage and rotate credentials, as they are not tied to a specific configuration file. The other options, specifying the login credentials in the provider block or setting credentials as Terraform variables, would result in the credentials being stored in the state file, making them potentially vulnerable to unauthorized access.

This is the best option available. However, Vault, which is not listed here, should be used.

provider authentication are not saved in state file

Opt A. If you look into official terraform provider documentation, including terraform enterprise, all providers point to "Dynamic Provider Credentials". This workflow generally exposes a temporary OIDC compliment token as environment variable and authenticated by cloud providers. So I would say the straight forward answer would be environment variables.

nothign prevents this, only thing is we can encrytp answer is D

It's D only currently there is no way to prevent it

When you use environment variables to store credentials, Terraform does not include these credentials in the state file. Environment variables are read at runtime, which means they are not persisted in the configuration files or the state file.

You can use environment variables to store provider credentials and other sensitive information, rather than storing them directly in the Terraform configuration or state file. To use this method, you can set the necessary environment variables on your machine or in your CI/CD pipeline, and then reference them in the Terraform configuration using interpolation syntax (e.g. "${var.ENV_VAR_NAME}"). This allows you to keep the credentials out of version control and reduces the risk of them being exposed.

None of the above options prevents credentials from being stored in the state file. Storing credentials in Terraform code or environment variables is not recommended, as it can expose sensitive information and make it more difficult to manage and rotate credentials. Instead, you should use an external authentication method, such as the "external" authentication method in Terraform, which allows you to execute an external program to obtain authentication credentials at runtime, rather than storing the credentials in the state file. This method keeps your credentials secure and allows you to use authentication mechanisms that do not expose credentials in plain text or that require interactive authentication.

I think correct answer is A. I have checked in my remote state file sitting in Azure storage account. (I used Azure DevOps environment variables) secret files are not visible in the state file.

No, environment variables are not safe to store credentials in the state file of Terraform. Environment variables can be accessed by any process running on the same machine, including potentially malicious processes. It's important to use a secure method of storing credentials, such as using a secrets manager or key vault. Additionally, it's important to ensure that the state file itself is properly secured, either by encrypting it or by storing it in a secure location.

Refer: https://developer.hashicorp.com/terraform/language/values/variables Setting a variable as sensitive prevents Terraform from showing its value in the plan or apply output, when you use that variable elsewhere in your configuration. Terraform will still record sensitive values in the state, and so anyone who can access the state data will have access to the sensitive values in cleartext. For more information, see Sensitive Data in State.

1. Code example: ... resource "azurerm_sql_server" "example" { name = "example-sqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = var.sql_admin_username administrator_login_password = var.sql_admin_password } variable "sql_admin_username" {} variable "sql_admin_password" {} ... 2. Set env variables: export TF_VAR_sql_admin_username="adminuser" export TF_VAR_sql_admin_password="SuperSecretPassword" 3. terraform init 4. terraform apply 5. After applying, if you inspect the state file (terraform.tfstate), you will find that it contains the administrator login and password.

Answer is A 100%: Using environment variables We already use Terraform this way: Bash export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY" export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY" Terraform provider "aws" { access_key = "YOUR_ACCESS_KEY" secret_key = "YOUR_SECRET_KEY" }

its D - using ENV variables does not help. They will still be visible in the state file.

D is the answer because no matter which technique you use to encrypt the secrets on your end, there is still one place where they will end up in plain text: Terraform state

D - Correct - credentials used during resource creation will always end up in tfstate

https://medium.com/codex/how-to-use-environment-variables-on-terraform-f2ab6f95f82d A is the correct answer, using environment variables like arm_access_key., it is possible to keep secrets out of state file

A. Using environment variables is the provider authentication method that prevents credentials from being stored in the state file. In Terraform, the state file is a local file that stores information about the infrastructure that has been deployed, including the resources that have been created and their properties. When you use environment variables to provide authentication credentials for a provider, the credentials are not stored in the state file. Instead, they are passed to Terraform at runtime, which allows you to use the same configuration files in different environments without having to store sensitive information in version control.

All secrets will end up in statefile

Should be D

Definitely "D", I wonder how A is the even an "authentication method"? Read the question carefully, or am I trying to read in between the lines?

The answer is A. Using environment variables. Here is an example of how to use environment variables to provide authentication credentials for an AWS provider: provider "aws" { region = var.aws_region access_key_id = var.aws_access_key_id secret_access_key = var.aws_secret_access_key }

All secrets will end up in statefile.

nswer: using environment variables The only method list above that will not result in the username/password being written to the state file is environment variables. All of the other options will result in the provider's credentials in the state file. Terraform runs will receive the full text of sensitive variables, and might print the value in logs and state files if the configuration pipes the value through to an output or a resource parameter. Additionally, Sentinel mocks downloaded from runs will contain the sensitive values of Terraform (but not environment) variables. Take care when writing your configurations to avoid unnecessary credential disclosure. Whenever possible, use environment variables since these cannot end up in state files or in Sentinel mocks. (Environment variables can end up in log files if TF_LOG is set to TRACE.)

Terraform Enterprise and Terraform Cloud credentials are not stored in Terraform state or the CI/CD platform. Therefore, the correct answer to your question is D. None of the above.

Using environment variables

D is correct, I just tried this in terraform and found that provider credentials are not stored in state file. The key here is provider credentials not other sensitive values.

terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.40" } } required_version = ">= 1.3.6" } provider "aws" { region = "us-east-2" access_key = "MY AWS ACCESS KEY" secret_key = "MY AWS SECRET KEY" } I provided the credentials directly in the provider block, then after apply the state file does not contain any information about these secrets.

I'll go with D. *provider* credentials do not typically end up in state file because they are not part of the config, regardless if they are provided them via envvars or not. The question asks how to prevent "credentials" from being in the state file, which means ALL credentials, not specifically provider credentials. Very ambiguous question tho

A-Above Terraform version 1.10-"Before Terraform 1.10, a data source was used to fetch the secret, in which case the secret value would be stored in both the plan and state file.-"https://www.hashicorp.com/en/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values