Terraform Associate Exam - Question 43

It's D We can use providers to supply variable values (vault for example). We can provide input variable value in parameter for apply command. We can use environment variables. HashiCorp is not mentioning anything about secure strings. Reference: https://www.terraform.io/language/values/variables

i think D

I lean my decision towards A. Use a provider like Vault or Parameter Store to store sensitive keys

If we remove the "not" from the question, we can eliminate incorrect answers. Which option can "not" be used to keep secrets out of Terraform configuration files? A. A Terraform provider - can pass strings and templates containing secrets within provider module B. Environment variables - TF_VAR can be used to inject secrets outside of code C. A -var flag - Can be used to pass variable from secret.tfvars file D. secure string - Can be used to hold password Correct answer is B https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1

question is what cannot be used so I think A is correct

Answer is A A Terraform provider is a software library that allows Terraform to interact with a particular cloud provider or other infrastructure service. Terraform providers do not have the ability to store secrets, so they cannot be used to keep secrets out of Terraform configuration files.

Even B is valid option, as you can pass variables by setting the TF_VAR_whatever env variables

I think its A as its provider which has no relation with keeping secrets

Answer is: A. Terraform provider It says: to Hide secrets and not include secrets. Here's why the other options are suitable for hiding secrets: B. Environment variables: Environment variables store sensitive information outside of Terraform code, and Terraform can access them during execution. C. A -var flag: The -var flag allows passing secrets as command-line arguments when running terraform apply or other commands. These arguments aren't stored in the configuration files. D. Secure string: Some Terraform providers (like AWS) offer functionality to store secrets securely within the provider itself (e.g., AWS Secrets Manager). This keeps them out of the configuration files.

D is correct in my view.

A seems credible , Provider can not be used

A appears to be the correct answer, by reading these references: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1 and this https://github.com/hashicorp/terraform/issues/516

B and C is definate a method as it's well documented. https://www.terraform.io/language/values/variables#variables-on-the-command-line >> this shows an example of using -var during an apply to put in something like secrets of password so it's not stored anywhere else. But this is not a very good method as the state file will still contain the password in plain text.

D, in terraform cloud they offer sensitive variable that contains sensitive information like passwords. "secure string" does not exist for terraform

I beg to differ with general thoughts here. We need to focus on statement "out of configuration file. They are not talking about security in this question.

A is incorrect, A provider can also declare an attribute as sensitive, which will cause Terraform to hide it from regular output regardless of how you assign it a value. Ref. https://developer.hashicorp.com/terraform/language/values/variables

Answer is D. A. Terraform Provider: You can use sensitive variables in Terraform Cloud (below link) or other secrets management solutions (e.g. AWS Secrets Manager). Sensitive variables / sensitive values is described here: https://developer.hashicorp.com/terraform/cloud-docs/workspaces/variables/managing-variables#sensitive-values B. Environment Variables: You can use environment variables. Terraform will read environment variables that start with TF_VAR_, followed by the name of a declared variable in your configuration. C. -var flag: You can use the -var command line flag. This is useful for setting sensitive data that should not be stored in your configuration. e.g. terraform apply -var 'db_password=My$ecretP@ssw0rd' D. "secure string" is not a valid option for keeping secrets out of Terraform configuration files. The term "secure string" is not a recognized or standard feature in Terraform.

Bad answers for this question. Definitely you cannot use a terraform provider to keep secrets out of your terraform configuration. Even if you use Vault, you must provide the Vault itself secrets and or you save to a file, in an environment variable, or within the provider itself. So "A" is wrong. The issue is that "D" is also wrong. A and D should be the answers for this question in my opinion.

I will go for A. All other options are to keep secrets out of Terraform configuration files, you typically use environment variables, a -var flag, or secure string variables.

swear to god these questions are worded so fking poorly

The correct is D

What is a -var flag?

I vote D

I dont think they is something called secure string.

A is correct

D. Use terraform Vault provider, Environment variables and -var flag to avoid pass sensitive data en configuration files. You can find it in the Exam Objetives (7g and 8b). The data is in plain text in state file but here is about how we pass the sensitive data (secrets).

haven't seen anything about secure strings on HashiCorp!

D. secure string is not an option for keeping secrets out of Terraform configuration files. Secure string: While there is no option for a "secure string" in Terraform, you can use a number of different techniques to encrypt or obfuscate sensitive information in your configuration files. For example, you might use a tool like SOPS to encrypt your Terraform code, or you might use a tool like Vault to store and manage your secrets separately from your code.

secure string. Ans is D

D. Secure string. Secure string is not a valid option for keeping secrets out of Terraform configuration files. There is no Terraform data type called secure string. It is possible that this option is referring to an external secrets management tool or encryption mechanism, but it is not a built-in Terraform feature.

I think it is A. Provider has nothing to do with secret Managment.

It's D.

Terraform does not have a built-in "secure string" option

D is correct because all other options can be used to keep secrets out of terraform config files

C is the answer

D, "secure string"

D is correct.. In Terraform, the term "secure string" isn't a specific built-in type or feature by that name. However, the concept of treating certain strings as "secure" or sensitive is indeed present in Terraform, particularly through the use of the sensitive attribute for variables and outputs. When we refer to a "secure string" in the context of Terraform, it's generally about handling sensitive values such as passwords, secret keys, or any confidential data that should not be exposed in logs or CLI output. Here's how you can declare a variable as sensitive: variable "api_secret_key" { type = string sensitive = true }

can not be used to keep secrets D - Secret String

A. A Terraform provider A Terraform provider is not typically used to keep secrets out of Terraform configuration files. Instead, environment variables, the -var flag, and secure strings are common methods used to manage secrets securely in Terraform.

The correct answer is: A. A Terraform provider Explanation: Terraform providers are used to interact with external APIs and services (e.g., AWS, Azure, Google Cloud), but they are not designed to manage secrets or keep them out of configuration files. The other options, however, are valid ways to keep secrets secure.