Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Definitely is: A
https://www.terraform.io/language/settings/backends/configuration#credentials-and-sensitive-data
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform subdirectory and in plan files. This can leak sensitive credentials.
Authentication outside of Terraform is more secure than environment variables. Your environment variables can still refer to a file or the definition of your variables inside terraform. So I would go for C.
choose A:
when we use vault, we still need to download it into a file,here is official doc:
- **File**: A configuration file may be specified via the `init` command line. To specify a file, use the `-backend-config=PATH` option when running `terraform init`. If the file contains secrets it may be kept in a secure data store, such as [Vault](https://www.vaultproject.io/), in which case it must be downloaded to the local disk before running Terraform.
https://developer.hashicorp.com/terraform/language/settings/backends/configuration#credentials-and-sensitive-data
From the documentation :
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform subdirectory and in plan files. This can leak sensitive credentials.
So it's A
Chat GPT: The most secure option for storing secrets for connecting to a Terraform remote backend is typically:
C. Defined in a connection configuration outside of Terraform
Storing sensitive information, such as authentication credentials, outside of the Terraform configuration helps enhance security by preventing accidental exposure or leakage of sensitive data. Using external tools or configuration management systems to manage secrets can provide additional layers of security and access control. It is generally not recommended to store sensitive information directly within the Terraform configuration (option B) to minimize the risk of inadvertent exposure. Additionally, environment variables (option A) can be a good practice for storing secrets securely, but they need to be managed carefully to avoid unintended exposure.
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform subdirectory and in plan files. This can leak sensitive credentials.
ANSWER SHOULD BE "A"
C. Defined in a connection configuration outside of Terraform
The most secure option for storing secrets for connecting to a Terraform remote backend is to define them in a connection configuration outside of Terraform. This involves using external configuration files or secure credential management tools.
Option A (defined in environment variables) is also a good practice for sensitive information, but it might be less secure than an external configuration file if, for example, there is a risk of exposing environment variables.
Option B (inside the backend block within the Terraform configuration) is generally not recommended for storing sensitive information like secrets because Terraform configuration files may be versioned and shared, posing a security risk.
Therefore, when dealing with sensitive information, it's a good practice to use external and secure methods for configuration, such as a separate configuration file or a secure credential management tool.
https://developer.hashicorp.com/terraform/language/settings/backends/configuration
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform subdirectory and in plan files. This can leak sensitive credentials.
This extract is taken from another course on Udemy with explanation
The only method list above that will not result in the username/password being written to the state file is environment variables. All of the other options will result in the provider's credentials in the state file.
Terraform runs will receive the full text of sensitive variables, and might print the value in logs and state files if the configuration pipes the value through to an output or a resource parameter. Additionally, Sentinel mocks downloaded from runs will contain the sensitive values of Terraform (but not environment) variables. Take care when writing your configurations to avoid unnecessary credential disclosure. Whenever possible, use environment variables since these cannot end up in state files or in Sentinel mocks. (Environment variables can end up in log files if TF_LOG is set to TRACE.)
A for sure.This is what the documentation says:
https://developer.hashicorp.com/terraform/language/settings/backends/configuration#credentials-and-sensitive-data
https://blog.gitguardian.com/how-to-handle-secrets-in-terraform/
Even if C is a best practice, is not the first choice
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
zyxphreez
Highly Voted 1 year, 7 months agoAlandt
2 months, 3 weeks agodeepeshukla
9 months, 3 weeks agoGomjaba
7 months, 1 week agoCHRIS12722222
Highly Voted 1 year, 8 months agoAlandt
2 months, 3 weeks agokingfighers
Most Recent 2 weeks, 1 day agoaksliveswithaws
2 weeks, 3 days agoAntonyPeter7
1 month, 2 weeks agoKaname93
1 month, 3 weeks agoAlandt
2 months, 3 weeks agoenook
3 months agoparag09
3 months, 1 week agovipulchoubisa
3 months, 1 week agosamimshaikh
3 months, 3 weeks agocaliph_noman
4 months agoTigerInTheCloud
4 months ago[Removed]
4 months, 3 weeks agoRamdi1
4 months, 4 weeks agosatamex
6 months agoAlex1atd
6 months, 1 week ago