TA-002-P Question #70: Real Exam Question with Answer & Explanation

Question

You're building a CI/CD (continuous integration/ continuous delivery) pipeline and need to inject sensitive variables into your Terraform run. How can you do this safely?

Options

• APass variables to Terraform with a 璿ar flag
• BCopy the sensitive variables into your Terraform code
• CStore the sensitive variables in a secure_vars.tf file
• DStore the sensitive variables as plain text in a source code repository

Explanation

Securely injecting sensitive variables into a Terraform run in a CI/CD pipeline often involves integrating with a dedicated secrets management solution.

Common mistakes.

• A. Passing variables with a -var flag directly on the command line is generally insecure for sensitive data, as values can be exposed in shell history, process lists, or logs.
• C. Storing sensitive variables in a secure_vars.tf file is insecure if the file is committed to version control in plaintext, as .tf files are typically part of the configuration repository.
• D. Storing sensitive variables as plain text in a source code repository is a fundamental security anti-pattern and highly insecure, exposing secrets to anyone with access to the repository.

Concept tested. Secure handling of sensitive data in Terraform

Reference. https://developer.hashicorp.com/terraform/language/values/variables#sensitive-variables

No community discussion yet for this question.