Add warning note to each backend page

2025-02-25 18:45:20 -06:00 · 2022-06-08 16:32:01 -04:00 · 2022-06-08 16:32:01 -04:00 · 53d0661785
commit 53d0661785
parent 89dbd6a26b
16 changed files with 47 additions and 16 deletions
--- a/website/docs/language/settings/backends/artifactory.mdx
+++ b/website/docs/language/settings/backends/artifactory.mdx
@ -45,7 +45,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options / environment variables are supported:

--- a/website/docs/language/settings/backends/azurerm.mdx
+++ b/website/docs/language/settings/backends/azurerm.mdx
@ -230,7 +230,10 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.
+

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/configuration.mdx
+++ b/website/docs/language/settings/backends/configuration.mdx
@ -43,11 +43,11 @@ There are some important limitations on backend configuration:
 - A configuration can only provide one backend block.
 - A backend block cannot refer to named values (like input variables, locals, or data source attributes).

-### Managing Credentials
+### Credentials and Sensitive Data

 Backends store state in a remote service, which allows multiple people to access it. Accessing remote state generally requires access credentials, since state data contains extremely sensitive information.

-!> **Warning:**  We recommend using environment variables to supply sensitive credentials and other data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. This can leak sensitive credentials.
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. This can leak sensitive credentials.

 Terraform writes the backend configuration in plain text in two separate files.
 - The `.terraform/terraform.tfstate` file contains the backend configuration for the current working directory.
--- a/website/docs/language/settings/backends/consul.mdx
+++ b/website/docs/language/settings/backends/consul.mdx
@ -35,7 +35,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options / environment variables are supported:

--- a/website/docs/language/settings/backends/cos.mdx
+++ b/website/docs/language/settings/backends/cos.mdx
@ -45,7 +45,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options or environment variables are supported:

--- a/website/docs/language/settings/backends/etcd.mdx
+++ b/website/docs/language/settings/backends/etcd.mdx
@ -32,7 +32,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/etcdv3.mdx
+++ b/website/docs/language/settings/backends/etcdv3.mdx
@ -37,7 +37,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options / environment variables are supported:

--- a/website/docs/language/settings/backends/gcs.mdx
+++ b/website/docs/language/settings/backends/gcs.mdx
@ -73,7 +73,9 @@ the path of the service account key. Terraform will use that key for authenticat

 Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating.

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/http.mdx
+++ b/website/docs/language/settings/backends/http.mdx
@ -38,7 +38,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options / environment variables are supported:

--- a/website/docs/language/settings/backends/kubernetes.mdx
+++ b/website/docs/language/settings/backends/kubernetes.mdx
@ -44,7 +44,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/manta.mdx
+++ b/website/docs/language/settings/backends/manta.mdx
@ -35,7 +35,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/oss.mdx
+++ b/website/docs/language/settings/backends/oss.mdx
@ -69,7 +69,9 @@ data "terraform_remote_state" "network" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options or environment variables are supported:

--- a/website/docs/language/settings/backends/pg.mdx
+++ b/website/docs/language/settings/backends/pg.mdx
@ -64,6 +64,8 @@ data "terraform_remote_state" "network" {

 ## Configuration Variables

+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.
+
 The following configuration options or environment variables are supported:

 - `conn_str` - (Required) Postgres connection string; a `postgres://` URL
--- a/website/docs/language/settings/backends/remote.mdx
+++ b/website/docs/language/settings/backends/remote.mdx
@ -173,7 +173,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported:

--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@ -142,6 +142,8 @@ This backend requires the configuration of the AWS Region and S3 state storage.

 ### Credentials and Shared Configuration

+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.
+
 The following configuration is required:

 * `region` - (Required) AWS Region of the S3 Bucket and DynamoDB Table (if used). This can also be sourced from the `AWS_DEFAULT_REGION` and `AWS_REGION` environment variables.
@ -411,7 +413,7 @@ to only a single state object within an S3 bucket is shown below:
 ```

 It is also possible to apply fine-grained access control to the DynamoDB
-table used for locking. When Terraform puts the state lock in place during `terraform plan`, it stores the full state file as a document and sets the s3 object key as the partition key for the document. After the state lock is released, Terraform places a digest of the updated state file in DynamoDB. The key is similar to the one for the original state file, but is suffixed with `-md5`. 
+table used for locking. When Terraform puts the state lock in place during `terraform plan`, it stores the full state file as a document and sets the s3 object key as the partition key for the document. After the state lock is released, Terraform places a digest of the updated state file in DynamoDB. The key is similar to the one for the original state file, but is suffixed with `-md5`.

 The example below shows a simple IAM policy that allows the backend operations role to perform these operations:

--- a/website/docs/language/settings/backends/swift.mdx
+++ b/website/docs/language/settings/backends/swift.mdx
@ -39,7 +39,9 @@ data "terraform_remote_state" "foo" {
 }
 ```

-## Configuration variables
+## Configuration Variables
+
+!> **Warning:**  We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both state and plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details.

 The following configuration options are supported: