2017-03-28 14:12:32 -05:00
|
|
|
---
|
2020-08-14 20:51:06 -05:00
|
|
|
layout: "language"
|
2017-03-28 14:12:32 -05:00
|
|
|
page_title: "State: Sensitive Data"
|
|
|
|
sidebar_current: "docs-state-sensitive-data"
|
|
|
|
description: |-
|
|
|
|
Sensitive data in Terraform state.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Sensitive Data in State
|
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
Terraform state can contain sensitive data, depending on the resources in use
|
2017-03-28 14:12:32 -05:00
|
|
|
and your definition of "sensitive." The state contains resource IDs and all
|
|
|
|
resource attributes. For resources such as databases, this may contain initial
|
|
|
|
passwords.
|
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
When using local state, state is stored in plain-text JSON files.
|
2017-03-28 14:12:32 -05:00
|
|
|
|
2021-01-15 16:13:53 -06:00
|
|
|
When using [remote state](/docs/language/state/remote.html), state is only ever held in
|
2019-12-18 13:26:10 -06:00
|
|
|
memory when used by Terraform. It may be encrypted at rest, but this depends on
|
|
|
|
the specific remote state backend.
|
2017-03-28 14:12:32 -05:00
|
|
|
|
|
|
|
## Recommendations
|
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
If you manage any sensitive data with Terraform (like database passwords, user
|
|
|
|
passwords, or private keys), treat the state itself as sensitive data.
|
2017-03-28 14:12:32 -05:00
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
Storing state remotely can provide better security. As of Terraform 0.9,
|
|
|
|
Terraform does not persist state to the local disk when remote state is in use,
|
|
|
|
and some backends can be configured to encrypt the state data at rest.
|
2017-03-28 14:12:32 -05:00
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
For example:
|
2017-03-28 14:12:32 -05:00
|
|
|
|
2019-12-18 13:26:10 -06:00
|
|
|
- [Terraform Cloud](/docs/cloud/index.html) always encrypts state at rest and
|
|
|
|
protects it with TLS in transit. Terraform Cloud also knows the identity of
|
|
|
|
the user requesting state and maintains a history of state changes. This can
|
|
|
|
be used to control access and track activity. [Terraform Enterprise](/docs/enterprise/index.html)
|
|
|
|
also supports detailed audit logging.
|
|
|
|
- The S3 backend supports encryption at rest when the `encrypt` option is
|
|
|
|
enabled. IAM policies and logging can be used to identify any invalid access.
|
|
|
|
Requests for the state go over a TLS connection.
|