Which is the safest way to inject sensitive values into a Terraform Cloud workspace?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the HashiCorp Terraform Associate Exam. Utilize flashcards and multiple-choice questions with detailed hints and explanations. Boost your confidence and be ready for success!

Multiple Choice

Which is the safest way to inject sensitive values into a Terraform Cloud workspace?

Explanation:
Setting the value in the Terraform Cloud UI and marking it as Sensitive keeps secrets out of your code, logs, and history. In Terraform Cloud, a workspace variable marked as Sensitive is stored securely in the backend and masked in the UI and plan outputs, with access controlled by permissions. This prevents the value from being exposed in version control, local files, or command-line history, which is essential for protecting credentials or other secrets. Other approaches expose the secret more easily: writing to a file and using -var-file can put the secret on disk or in files that might be checked in or shared; editing the state file directly is unsafe and can corrupt state or leak data; passing the value on the command line with -var would reveal it in shell history and logs, and isn’t compatible with Terraform Cloud’s remote-run workflow.

Setting the value in the Terraform Cloud UI and marking it as Sensitive keeps secrets out of your code, logs, and history. In Terraform Cloud, a workspace variable marked as Sensitive is stored securely in the backend and masked in the UI and plan outputs, with access controlled by permissions. This prevents the value from being exposed in version control, local files, or command-line history, which is essential for protecting credentials or other secrets.

Other approaches expose the secret more easily: writing to a file and using -var-file can put the secret on disk or in files that might be checked in or shared; editing the state file directly is unsafe and can corrupt state or leak data; passing the value on the command line with -var would reveal it in shell history and logs, and isn’t compatible with Terraform Cloud’s remote-run workflow.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy