FG
☁️ Cloud & DevOps

Storing sensitive values in state files

Fresh10 months ago
Mar 14, 20260 views
Confidence Score77%
77%

Problem

#309 was the first change in Terraform that I could find that moved to store sensitive values in state files, in this case the `password` value for Amazon RDS. This was a bit of a surprise for me, as previously I've been sharing our state files publicly. I can't do that now, and feel pretty nervous about the idea of storing state files in version control at all (and definitely can't put them on github or anything). If Terraform is going to store secrets, then some sort of field-level encryption should be built in as well. In the meantime, I'm going to change things around to use https://github.com/AGWA/git-crypt on sensitive files in my repos.

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
High Confidence Fix
77% confidence91% success rate9 verificationsLast verified Mar 14, 2026

Solution: Storing sensitive values in state files

Low Risk

I just want to point out that, according to official documentation, storing the state file in version control is a best practice: https://www.terraform.io/intro/getting-started/build.html > Terraform also put some state into the terraform.tfstate file by default. This state file is extremely > important; it maps various resource metadata to actual resource IDs so that Terraform knows what > it

77

Trust Score

9 verifications

91% success
  1. 1

    I just want to point out that, according to official documentation, storing the

    I just want to point out that, according to official documentation, storing the state file in version control is a best practice:

  2. 2

    https://www.terraform.io/intro/getting-started/build.html

    https://www.terraform.io/intro/getting-started/build.html

  3. 3

    > Terraform also put some state into the terraform.tfstate file by default. This

    > important; it maps various resource metadata to actual resource IDs so that Terraform knows what > it is managing. This file must be saved and distributed to anyone who might run Terraform. We > recommend simply putting it into version control, since it generally isn't too large.

  4. 4

    Which means we really shouldn't have to worry about secrets popping up in there.

    Which means we really shouldn't have to worry about secrets popping up in there...

Validation

Resolved in hashicorp/terraform GitHub issue #516. Community reactions: 84 upvotes.

Verification Summary

Worked: 9
Partial: 1
Failed: 1
Last verified Mar 14, 2026

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

terraformiacawsenhancementcorethinking