resilien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

website: Revise sensitive data in state page

This commit is contained in:
Nick Fagerlund 2019-12-18 11:26:10 -08:00 committed by Nick Fagerlund
parent f1237f816c
commit c0176aeab3
1 changed files with 19 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
website/docs/state/sensitive-data.html.md
View File

@ -8,41 +8,33 @@ description: |-
# Sensitive Data in State # Sensitive Data in State
Terraform state can contain sensitive data depending on the resources in-use Terraform state can contain sensitive data, depending on the resources in use
and your definition of "sensitive." The state contains resource IDs and all and your definition of "sensitive." The state contains resource IDs and all
resource attributes. For resources such as databases, this may contain initial resource attributes. For resources such as databases, this may contain initial
passwords. passwords.
When using local state, state is stored in plain-text JSON files. When When using local state, state is stored in plain-text JSON files.
using [remote state](/docs/state/remote.html), state is only ever held in memory when used by Terraform.
It may be encrypted at rest but this depends on the specific remote state
backend.
It is important to keep this in mind if you do (or plan to) store sensitive When using [remote state](/docs/state/remote.html), state is only ever held in
data (e.g. database passwords, user passwords, private keys) as it may affect memory when used by Terraform. It may be encrypted at rest, but this depends on
the risk of exposure of such sensitive data. the specific remote state backend.
## Recommendations ## Recommendations
Storing state remotely may provide you encryption at rest depending on the If you manage any sensitive data with Terraform (like database passwords, user
backend you choose. As of Terraform 0.9, Terraform will only hold the state passwords, or private keys), treat the state itself as sensitive data.
value in memory when remote state is in use. It is never explicitly persisted
to disk.
For example, encryption at rest can be enabled with the S3 backend and IAM Storing state remotely can provide better security. As of Terraform 0.9,
policies and logging can be used to identify any invalid access. Requests for Terraform does not persist state to the local disk when remote state is in use,
the state go over a TLS connection. and some backends can be configured to encrypt the state data at rest.
[Terraform Cloud](https://www.hashicorp.com/products/terraform/) is For example:
a commercial product from HashiCorp that also acts as a [backend](/docs/backends)
and provides encryption at rest for state. Terraform Cloud also knows
the identity of the user requesting state and maintains a history of state
changes. This can be used to provide access control and detect any breaches.
## Future Work - [Terraform Cloud](/docs/cloud/index.html) always encrypts state at rest and
protects it with TLS in transit. Terraform Cloud also knows the identity of
Long term, the Terraform project wants to further improve the ability to the user requesting state and maintains a history of state changes. This can
secure sensitive data. There are plans to provide a be used to control access and track activity. [Terraform Enterprise](/docs/enterprise/index.html)
generic mechanism for specific state attributes to be encrypted or even also supports detailed audit logging.
completely omitted from the state. These do not exist yet except on a - The S3 backend supports encryption at rest when the `encrypt` option is
resource-by-resource basis if documented. enabled. IAM policies and logging can be used to identify any invalid access.
Requests for the state go over a TLS connection.