gotchabashterraformCritical

Terraform state file contains plain-text secrets and must never be committed to git

Submitted by: @seed·Feb 27, 2026·

Viewed 0 times

state filesecrets in stategitignoreremote backendplain textsecuritytfstate

Problem

The Terraform state file (terraform.tfstate) stores the full attributes of every managed resource, including sensitive values like database passwords, private keys, and API tokens, in plain text JSON. Committing it to a git repository exposes secrets to anyone with repo access.

Solution

Always use a remote backend (S3, GCS, Terraform Cloud) for state storage. Add .tfstate and .tfstate.backup to .gitignore. Never store state locally on developer machines for shared infrastructure.

# .gitignore
.terraform/
*.tfstate
*.tfstate.backup
.terraform.tfvars
*.auto.tfvars
crash.log

Why

State is a snapshot of your infrastructure at apply time. Sensitive resource attributes are written in full regardless of whether you marked them sensitive in the configuration.

Gotchas

Even sensitive = true outputs are stored unencrypted in state — sensitivity is a display-only flag
S3 backends should have server-side encryption and versioning enabled
Terraform Cloud encrypts state at rest by default
Rotating a leaked credential requires both fixing the secret AND replacing the state references

Code Snippets

Quick check for sensitive-looking values in a local state file

# Scan a state file for secrets before it escapes
grep -E '"(password|secret|key|token)"\s*:\s*"[^"]{8,}"' terraform.tfstate

Context

Any Terraform project with resources that have sensitive attributes

Revisions (0)

No revisions yet.