Terraform's local state (the 2 tfstate files) contain very sensitive info

Part of my IaC that describes my systems for Azure is CosmosDB, and Keyvaults. Terraform happily created everything and I was able to use an output from CosmosDB (db keys) as an input to the Keyvault (as a keyvault secret) so my db key was safely stored.

Then I poked through my terraform.tfstate and sure enough, ALL the cosmosdb keys (pri and sec, rw and ro) keys are in there plaintext, as is the plaintext of the vaults secrets.

So this leaves somewhat of a quandry here - These state files are apparently integral and they must be maintained (as far as I can tell) but I really dont like the idea of checking them into any repo. I guess theres no real good solution here other than locally-maintained repos that are redundant as possible?

Do not store your state in anything besides remote backend. Even if you store it in a remote backend the secrets will appear in a plain text again, this is an ongoing Terraform limitation.

In our case we are using AWS S3 backend ( although we have multi cloud environments ), we've got those key benefits out of the box:

• Encryption in transit and at rest.

• Access policy configuration.

• Durability and availability close to the maximum.

• Locking capability.

• Versioning.

Please do not go with locally-maintained repos that are redundant as possible.

StackExchange DevOps Q#11090, answer score: 3