Which option is not a safe way to inject sensitive values into a Terraform Cloud workspace?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the HashiCorp Terraform Associate Exam. Utilize flashcards and multiple-choice questions with detailed hints and explanations. Boost your confidence and be ready for success!

Multiple Choice

Which option is not a safe way to inject sensitive values into a Terraform Cloud workspace?

Explanation:
The key idea is how to manage sensitive values securely in Terraform Cloud. The safest approach is to store secrets as workspace variables marked sensitive, so they’re masked in logs and not written to disk. Writing the value to a file and using a var-file means the secret lives on disk in the runner’s workspace. That file could end up in version control, be exposed in logs, or be accessible to anyone with access to the runner’s file system, making it easy for secrets to leak. In Terraform Cloud, this bypasses the built‑in secret management and increases the risk of exposure, which is why this method is not safe. Using the Terraform Cloud workspace variable editor is the recommended way to inject sensitive values because it keeps secrets securely managed by the platform and prevents them from leaking through logs or files. The other approaches—passing values on the command line or editing the state—also carry risks, but the file-based var-file method is the one that most clearly creates persistent on-disk secrets and is therefore not safe.

The key idea is how to manage sensitive values securely in Terraform Cloud. The safest approach is to store secrets as workspace variables marked sensitive, so they’re masked in logs and not written to disk.

Writing the value to a file and using a var-file means the secret lives on disk in the runner’s workspace. That file could end up in version control, be exposed in logs, or be accessible to anyone with access to the runner’s file system, making it easy for secrets to leak. In Terraform Cloud, this bypasses the built‑in secret management and increases the risk of exposure, which is why this method is not safe.

Using the Terraform Cloud workspace variable editor is the recommended way to inject sensitive values because it keeps secrets securely managed by the platform and prevents them from leaking through logs or files. The other approaches—passing values on the command line or editing the state—also carry risks, but the file-based var-file method is the one that most clearly creates persistent on-disk secrets and is therefore not safe.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy