terraform storing sensitive data in state file

Question

I am using variables with sensitivity true, even though, state file stores id and password. Any how to avoid it?

variable "rs_master_pass" {
  type = string
  sensitive = true
}

In state file,

 "master_password": 'password'

Even though, taking out from state manually, comes back in each apply.

Answer 1

Update 2024

In terraform v1.10 there is a new concept of ephemeral resources which allows which produces ephemeral values which is never stores in state file.

This should be the accepted answer now.

Answer 2

There is no "easy" way to avoid that. You must simply not hard-code the values in your TF files. Setting sensitive = true does not protect against having the secrets in plain text as you noticed.

The general ways for properly handling secrets in TF are:

• use specialized, external vaults, such as Terraform Vault, AWS Parameter Store or AWS Secret Manger. They have to be set separately as to again not having their secrets available in TF state file.
• use local-exec to setup the secrets outside of TF. Whatever you do in local-exec does not get stored in TF state file. This often is done to change dummy secrets that may be required in your TF code (e.g. RDS password) to the actual values outside of TF knowledge.
• if the above solutions are not accessible, then you have to protect your state file (its good practice anyway). This is often done by storing it remotely in S3 under strict access policies.