Scenario:
You are building an infrastructure and creating a database or resource that requires values like passwords that you want to protect. First we declare a variable to store our sensitive value and then provide the value securely.
Declare a Variable to store a sensitive value.
Step 1: First, create a variable and set the sensitive argument to true. This ensures that the value of the variable won’t be displayed in the terminal when running terraform plan or terraform apply.
Example code:variable "db_password" {
type = string
description = "Enter in password for your db"
sensitive = true
}
Step 2: Reference that variable in your resource or database configuration.password = var.db_password
Step 3: Provide the password value securely through the methods discussed below.
What Not to Do:
Avoid storing sensitive values, such as passwords, in a .tfvars file, as this would defeat the purpose of hiding them if stored in plaintext.
3 Ways to Securely Provide Sensitive Values:
- Using -var option
You can pass the value directly using the -var flag, e.g., terraform apply -var="db_password=mypassword"
2. Prompted Input:
If you run terraform plan without providing the value, you will be prompted to enter it, and whatever you type will be hidden in the terminal.
3. Environment Variables:
Use an environment variable, e.g., export TF_VAR_db_password="mypassword", and then run terraform plan or terraform apply as usual.
Official documentation:
Variable sensitive argument
– var flag
Environment variable to assign values
ефективне просування у соціальних мережах