TA-002-P · Question #260
TA-002-P Question #260: Real Exam Question with Answer & Explanation
The correct answer is A: Yes. {"question_number": 9, "question": "Since sensitive is set to true on an output, will the value associated with db_password be available in plain-text in the state file?", "correct_answer": "A. Yes", "explanation": "Setting sensitive = true on a Terraform output only prevents the
Question
Valarie has created a database instance in AWS and for ease of use is outputting the value of the database password with the following code. Valarie wants to hide the output value in the CLI after terraform apply that's why she has used sensitive parameter. ' 1. output "db_password" { 2. value = local.db_password 3. sensitive = true 4. } Since sensitive is set to true, will the value associated with db password be available in plain-text in the state file for everyone to read?
Options
- AYes
- BNo
Explanation
{"question_number": 9, "question": "Since sensitive is set to true on an output, will the value associated with db_password be available in plain-text in the state file?", "correct_answer": "A. Yes", "explanation": "Setting sensitive = true on a Terraform output only prevents the value from being displayed in the CLI during terraform plan or terraform apply - it does NOT encrypt or hide the value in the state file. The Terraform state file (terraform.tfstate) stores all resource attributes, including sensitive values, in plain text JSON. Anyone with read access to the state file can see the password. To properly protect sensitive state, you should use a remote backend with access controls (e.g., S3 with encryption and IAM policies, or Terraform Cloud) and restrict who can access the state.", "generated_by": "claude-sonnet", "llm_judge_score": 5}
Topics
Community Discussion
No community discussion yet for this question.