How to hide/mask credentials stored at terraform state file



  • In terraform, when we create a resourcekey for eg ibm_resource_key, all the credentials created are stored in plain text in state file. Question is how to hide/mask the credential section/ secret sections in state file.

    Options are to store the state file itself in some safe place like S3 , vault etc, but is there a way to hide the info in state file itself?



  • The tfstate file can be thought of as your "executable". So no, you cannot hide/remove sensitive values from it.

    What you can do, however, is to store it safely. Terraform offers https://developer.hashicorp.com/terraform/language/settings/backends/s3 on how to configure your backend to store the tfstate (because this file must never make it to your Git repository). Usually it consists of an S3 bucket (to store the contents) and a DynamoDB table (for version management).




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2