Which of the following is the safest way to inject sensitive values into a Terraform Cloud workspace?
Which of the following is the safest way to inject sensitive values into a Terraform Cloud workspace?
The safest way to inject sensitive values into a Terraform Cloud workspace is to set a value for the variable in the UI and check the 'Sensitive' check box. This ensures that the sensitive values are securely stored and encrypted within the Terraform Cloud infrastructure, preventing the sensitive data from being exposed in logs, state files, or version control systems. Other methods such as writing sensitive values to a file, editing the state file directly, or including them in command line arguments can potentially expose the sensitive information to unauthorized users or result in data corruption.
B. Set a value for the variable in the UI and check the "Sensitive" check box. When working with Terraform Cloud workspaces, the safest way to inject sensitive values into a Terraform Cloud workspace is to set a value for the variable in the UI and check the "Sensitive" check box. This will ensure that the value is stored securely and not visible in plain text in the Terraform Cloud UI or API. Option A, writing the value to a file and specifying the file with the -var-file flag, may be less secure because the file could potentially be accessed by unauthorized users. Option C, editing the state file directly just before running terraform apply, is not a best practice and could result in data loss or corruption. Option D, setting the variable value on the command line with the -var flag, could result in the sensitive value being stored in plain text in the command history or other logs, which could be accessed by unauthorized users.
https://developer.hashicorp.com/terraform/cloud-docs/workspaces/variables/managing-variables#sensitive-values
https://www.terraform.io/cloud-docs/workspaces/variables
Answer is B. -var and -var-file overwrite workspace-specific and variable set variables that have the same key. From the workspace, variable can be added and checked off as being sensitive. Reference: https://www.terraform.io/cloud-docs/workspaces/variables/managing-variables#loading-variables-from-files https://www.terraform.io/cloud-docs/workspaces/variables
The safest way to inject sensitive values into a Terraform Cloud workspace is to write the value to a file and specify the file with the -var-file flag. Option A is the correct answer. This method allows you to store the sensitive value in a file that can be encrypted and stored securely. Terraform Cloud supports encrypted variables, and you can encrypt the file that contains the sensitive value using a tool like SOPS or Vault before uploading it to Terraform Cloud.
B. Set a value for the variable in the UI and check the "Sensitive" check box is the safest way to inject sensitive values into a Terraform Cloud workspace. This ensures that the sensitive values are securely stored and encrypted in the workspace, and are not visible in the Terraform logs or state file. Writing the value to a file or setting the variable value on the command line can expose the sensitive data to unauthorized access, and editing the state file directly is not a recommended practice and can potentially corrupt the state.