Which option cannot be used to keep secrets out of Terraform configuration files?

• A. Environment Variables
• B. Mark the variable as sensitive
• C. -var flag
• D. Terraform provider

Answer: (D)

Keeping secrets out of Terraform configuration files means supplying sensitive values from outside the .tf files rather than hard-coding them. Environment variables let Terraform read inputs from TF_VAR_<NAME> unless you’ve overridden them, so secrets stay outside the configuration. Marking a variable as sensitive hides the value in plan and apply outputs, which helps with secrecy in the UI, but it doesn’t prevent the value from being stored or exposed elsewhere (like state or logs), so it isn’t itself a method for keeping secrets out of the files. The -var flag lets you pass secret values at runtime, again avoiding embedding them in the configuration. The Terraform provider, however, isn’t a mechanism for secret management—it’s the plugin that interfaces with a cloud or service—and it doesn’t provide a way to keep secrets out of the configuration files.

Keeping secrets out of Terraform configuration files means supplying sensitive values from outside the .tf files rather than hard-coding them. Environment variables let Terraform read inputs from TF_VAR_ unless you’ve overridden them, so secrets stay outside the configuration. Marking a variable as sensitive hides the value in plan and apply outputs, which helps with secrecy in the UI, but it doesn’t prevent the value from being stored or exposed elsewhere (like state or logs), so it isn’t itself a method for keeping secrets out of the files. The -var flag lets you pass secret values at runtime, again avoiding embedding them in the configuration. The Terraform provider, however, isn’t a mechanism for secret management—it’s the plugin that interfaces with a cloud or service—and it doesn’t provide a way to keep secrets out of the configuration files.