Handling Secrets

Prevent secrets from leaking into state or source code.

Terraform

Security

Use in Builder All Terraform Options

Details

Language / Topic

Terraform

Rules

Handling Secrets · balanced balanced

- Never hardcode secrets in `.tf` or `.tfvars` files

- Define variables as `sensitive = true` to mask them from terminal output

- Retrieve secrets dramatically at runtime using data sources targeting AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault

- Use `sensitive = true` on output blocks and variable definitions to prevent accidental logging in CI runners

- Inject credentials as environment variables (`TF_VAR_database_password`) from your CI/CD platform instead of persisting them anywhere

- Remember that marking a variable `sensitive` only hides it from the CLI plan output—the plaintext value is still visible in the backend `.tfstate` file