Managing sensitive data
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing HashiCorp Certified: Terraform Associate premium course — no separate purchase.
14-day money-back guarantee — no questions asked.
Included in this chapter:
- Where secrets leak, and what each tool closes
- sensitive: redact output, not state
- Keep it out of state: ephemeral and write-only
- Sourcing secrets from Vault at runtime
- How this appears on the exam
Which exposure each mechanism closes
| Property | sensitive = true | Ephemeral / write-only | Vault provider (data source) |
|---|---|---|---|
| Hidden from CLI and UI output | Yes, value redacted | Yes, value never shown | No on its own; mark it sensitive |
| Kept out of state and plan files | No, stored in plaintext | Yes, never persisted | No; the read value lands in state |
| Secret lives outside the configuration | No, value still in config or vars | Only if an ephemeral resource generates it | Yes, fetched from Vault at runtime |
| Minimum Terraform version | Any version | v1.10 ephemeral, v1.11 write-only | Any (a provider feature) |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.