Terraform Secrets and Sensitive Values

How to handle credentials and secrets in Terraform without leaking them into state or version control.

Terraform Beginner 6 min read

Updated 2026-04-12

What to avoid

Hardcoding secrets directly in .tf files is the most common mistake. Even in a private repository, credentials in source code are risky. They appear in git history and are easy to miss when rotating.

The second common mistake is committing terraform.tfvars files that contain real credentials. A tfvars file looks harmless until it ends up in a shared repository or CI log.

Common safer patterns

The three most practical approaches for beginners are environment variables, external secret stores, and sensitive variable declarations.

Environment variables — Terraform reads any environment variable named TF_VAR_<variable_name> at runtime. Set them in your shell session or CI/CD pipeline and they never touch a file.

Sensitive variable declarations — Add sensitive = true to the variable block. Terraform will then redact the value from plan, apply, and output logs.

variable "db_password" {
  type      = string
  sensitive = true
}

Sensitive variables improve output handling but do not encrypt the state file. Always combine them with a secure remote backend.

External secret stores — Tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault can supply values to Terraform at apply time using data sources. This keeps secrets out of Terraform files entirely.

A practical team approach

Never put secrets in .tf or .tfvars files tracked by git.
Use TF_VAR_ environment variables for local development.
Use your CI/CD platform's secret store for pipeline runs.
Mark all sensitive variables with sensitive = true.
Store state in a remote backend with encryption and access control.

[ { "question": "What does marking a variable as sensitive = true do?", "options": [ "Encrypts the value inside the state file", "Deletes the variable after one apply", "Suppresses the value from plan and apply terminal output", "Prevents the variable from being used in resources" ], "answer": 2, "explanation": "sensitive = true hides the value from terminal output. It does not encrypt the state file." }, { "question": "How can you pass a secret to Terraform without writing it to a file?", "options": [ "Hardcode it in main.tf", "Set a TF_VAR_ environment variable", "Use a comment block", "Add it to the lock file" ], "answer": 1, "explanation": "TF_VAR_<name> environment variables are read by Terraform at runtime and never stored in source files." }, { "question": "What is the recommended way to store Terraform state in a team project that uses secrets?", "options": [ "Commit terraform.tfstate to a private Git repository", "Email the state file to team members", "Use a remote backend with encryption at rest", "Store state in a local zip archive" ], "answer": 2, "explanation": "Remote backends like S3 with server-side encryption keep state files secure and accessible to the whole team." } ]

Terraform Secrets and Sensitive Values

What to avoid

Common safer patterns

A practical team approach

Small technical takeaways

Mark as sensitive

Prefer environment variables

Continue the topic

Terraform Hello World and First Step

Terraform File Structure: main.tf

Terraform: What Kind of Files Can Be in a Folder