Skip to content

Generic Terraform Variable Secret

Service Name: Terraform

Service Description: Terraform is an infrastructure as code (IaC) tool that allows you to build, change, and version infrastructure safely and efficiently. This secret type refers to sensitive variables defined in Terraform configurations.

Service Address: https://www.terraform.io/

Validation Type: Unavailable

IP Allow list: Does not exist at the secret level. Access control is managed through the underlying infrastructure provider or through Terraform Cloud/Enterprise.

Secret Access Scope: Grants access to resources defined in Terraform configurations based on the variable's usage. The scope depends entirely on how the variable is used within the Terraform code.

Secret Revokement URL: Does not exist directly. Variables are managed within Terraform configuration files or through Terraform Cloud/Enterprise.

Secret Example: var.sensitive_api_token = "tfs_exampleL8nG5tr1ngT0k3nF0rT3rr4f0rm"

Suspicious Activity Investigation Instructions:

  • Review Terraform state files for unauthorized changes or access.

  • Check Terraform Cloud/Enterprise audit logs if applicable.

  • Examine infrastructure provider logs (AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs, etc.) for suspicious resource modifications.

  • Verify Git repository history for unauthorized commits modifying Terraform variable files.

  • Review CI/CD pipeline logs for unauthorized Terraform plan or apply operations.

Mitigation Instructions:

  • Rotate the compromised variable value in all Terraform configurations.

  • Update the variable in any CI/CD systems or environment variables where it might be stored.

  • If using Terraform Cloud/Enterprise, update the variable in the workspace settings.

  • Consider moving sensitive variables to a secrets management solution like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.

  • Implement stronger access controls for Terraform state files.

  • Enable version control protection (branch protection rules) to prevent unauthorized changes to Terraform code.

  • Consider using Terraform's sensitive flag for variables containing secrets: variable "example" { type = string, sensitive = true }.