diff --git a/website/docs/language/settings/backends/artifactory.mdx b/website/docs/language/settings/backends/artifactory.mdx index cca3e82b27..d69a5ada08 100644 --- a/website/docs/language/settings/backends/artifactory.mdx +++ b/website/docs/language/settings/backends/artifactory.mdx @@ -45,7 +45,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options / environment variables are supported: diff --git a/website/docs/language/settings/backends/azurerm.mdx b/website/docs/language/settings/backends/azurerm.mdx index a703560727..09edccddd8 100644 --- a/website/docs/language/settings/backends/azurerm.mdx +++ b/website/docs/language/settings/backends/azurerm.mdx @@ -230,7 +230,10 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. + The following configuration options are supported: diff --git a/website/docs/language/settings/backends/configuration.mdx b/website/docs/language/settings/backends/configuration.mdx index 6a46745eef..5b1455dff7 100644 --- a/website/docs/language/settings/backends/configuration.mdx +++ b/website/docs/language/settings/backends/configuration.mdx @@ -43,11 +43,11 @@ There are some important limitations on backend configuration: - A configuration can only provide one backend block. - A backend block cannot refer to named values (like input variables, locals, or data source attributes). -### Managing Credentials +### Credentials and Sensitive Data Backends store state in a remote service, which allows multiple people to access it. Accessing remote state generally requires access credentials, since state data contains extremely sensitive information. -!> **Warning:** We recommend using environment variables to supply sensitive credentials and other data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. This can leak sensitive credentials. +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. This can leak sensitive credentials. Terraform writes the backend configuration in plain text in two separate files. - The `.terraform/terraform.tfstate` file contains the backend configuration for the current working directory. diff --git a/website/docs/language/settings/backends/consul.mdx b/website/docs/language/settings/backends/consul.mdx index f003b7851b..aadbc097ae 100644 --- a/website/docs/language/settings/backends/consul.mdx +++ b/website/docs/language/settings/backends/consul.mdx @@ -35,7 +35,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options / environment variables are supported: diff --git a/website/docs/language/settings/backends/cos.mdx b/website/docs/language/settings/backends/cos.mdx index 548c569cd5..2a5ab16238 100644 --- a/website/docs/language/settings/backends/cos.mdx +++ b/website/docs/language/settings/backends/cos.mdx @@ -45,7 +45,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options or environment variables are supported: diff --git a/website/docs/language/settings/backends/etcd.mdx b/website/docs/language/settings/backends/etcd.mdx index 8495e72f58..2aca6b32d7 100644 --- a/website/docs/language/settings/backends/etcd.mdx +++ b/website/docs/language/settings/backends/etcd.mdx @@ -32,7 +32,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: diff --git a/website/docs/language/settings/backends/etcdv3.mdx b/website/docs/language/settings/backends/etcdv3.mdx index 2196c164c3..551aabb273 100644 --- a/website/docs/language/settings/backends/etcdv3.mdx +++ b/website/docs/language/settings/backends/etcdv3.mdx @@ -37,7 +37,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options / environment variables are supported: diff --git a/website/docs/language/settings/backends/gcs.mdx b/website/docs/language/settings/backends/gcs.mdx index f5f23353a7..5e75265ff3 100644 --- a/website/docs/language/settings/backends/gcs.mdx +++ b/website/docs/language/settings/backends/gcs.mdx @@ -73,7 +73,9 @@ the path of the service account key. Terraform will use that key for authenticat Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating. -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: diff --git a/website/docs/language/settings/backends/http.mdx b/website/docs/language/settings/backends/http.mdx index a87b2152c8..a2474fc34a 100644 --- a/website/docs/language/settings/backends/http.mdx +++ b/website/docs/language/settings/backends/http.mdx @@ -38,7 +38,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options / environment variables are supported: diff --git a/website/docs/language/settings/backends/kubernetes.mdx b/website/docs/language/settings/backends/kubernetes.mdx index 1f7ee648ef..775f2d0f13 100644 --- a/website/docs/language/settings/backends/kubernetes.mdx +++ b/website/docs/language/settings/backends/kubernetes.mdx @@ -44,7 +44,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: diff --git a/website/docs/language/settings/backends/manta.mdx b/website/docs/language/settings/backends/manta.mdx index b3d49c7920..ac31f01f7f 100644 --- a/website/docs/language/settings/backends/manta.mdx +++ b/website/docs/language/settings/backends/manta.mdx @@ -35,7 +35,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: diff --git a/website/docs/language/settings/backends/oss.mdx b/website/docs/language/settings/backends/oss.mdx index 85dd380091..2496818602 100644 --- a/website/docs/language/settings/backends/oss.mdx +++ b/website/docs/language/settings/backends/oss.mdx @@ -69,7 +69,9 @@ data "terraform_remote_state" "network" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options or environment variables are supported: diff --git a/website/docs/language/settings/backends/pg.mdx b/website/docs/language/settings/backends/pg.mdx index fae9c85617..8327973f78 100644 --- a/website/docs/language/settings/backends/pg.mdx +++ b/website/docs/language/settings/backends/pg.mdx @@ -64,6 +64,8 @@ data "terraform_remote_state" "network" { ## Configuration Variables +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. + The following configuration options or environment variables are supported: - `conn_str` - (Required) Postgres connection string; a `postgres://` URL diff --git a/website/docs/language/settings/backends/remote.mdx b/website/docs/language/settings/backends/remote.mdx index f4b09be33e..b84dcbbabc 100644 --- a/website/docs/language/settings/backends/remote.mdx +++ b/website/docs/language/settings/backends/remote.mdx @@ -173,7 +173,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx index 3ce1f57f5f..15dc0a29c2 100644 --- a/website/docs/language/settings/backends/s3.mdx +++ b/website/docs/language/settings/backends/s3.mdx @@ -142,6 +142,8 @@ This backend requires the configuration of the AWS Region and S3 state storage. ### Credentials and Shared Configuration +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. + The following configuration is required: * `region` - (Required) AWS Region of the S3 Bucket and DynamoDB Table (if used). This can also be sourced from the `AWS_DEFAULT_REGION` and `AWS_REGION` environment variables. @@ -411,7 +413,7 @@ to only a single state object within an S3 bucket is shown below: ``` It is also possible to apply fine-grained access control to the DynamoDB -table used for locking. When Terraform puts the state lock in place during `terraform plan`, it stores the full state file as a document and sets the s3 object key as the partition key for the document. After the state lock is released, Terraform places a digest of the updated state file in DynamoDB. The key is similar to the one for the original state file, but is suffixed with `-md5`. +table used for locking. When Terraform puts the state lock in place during `terraform plan`, it stores the full state file as a document and sets the s3 object key as the partition key for the document. After the state lock is released, Terraform places a digest of the updated state file in DynamoDB. The key is similar to the one for the original state file, but is suffixed with `-md5`. The example below shows a simple IAM policy that allows the backend operations role to perform these operations: diff --git a/website/docs/language/settings/backends/swift.mdx b/website/docs/language/settings/backends/swift.mdx index 0f34832802..5a52b3bca6 100644 --- a/website/docs/language/settings/backends/swift.mdx +++ b/website/docs/language/settings/backends/swift.mdx @@ -39,7 +39,9 @@ data "terraform_remote_state" "foo" { } ``` -## Configuration variables +## Configuration Variables + +!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. The following configuration options are supported: