Interview Infrastructure as Code (Terraform, Ansible)

Why does the state file potentially contain sensitive values, and how do you protect it?

Infrastructure as Code (Terraform, Ansible) · Intermediate level

Answer

State can contain sensitive values because providers must record enough information to detect drift and update resources. Marking an output sensitive hides it from CLI display, but the raw state may still contain it. Protect state with encryption, access controls, versioning, audit logs, short-lived credentials, and minimal sharing.

Technical explanation

Encrypt state at rest and in transit, and enable object versioning for recovery.

Limit state read permissions because read can be as sensitive as write.

Scrub CI logs and artifacts so plans and outputs do not expose secret material.

Keep Terraform's ownership boundary clear: one state should own a resource or field, and other tools should consume published outputs instead of modifying it.

Use fmt, validate, linting, policy checks, plan review, and state locking before production applies.

Design for small blast radius by splitting state around lifecycle, permissions, and recovery boundaries.

Hands-on example

1. Harden secret handling for: Why does the state file potentially contain sensitive values, and how do you protect it?

2. Bad pattern: passing plaintext database passwords as Terraform variables and outputting them.

3. Better pattern: create or reference secret metadata and let runtime fetch the value:

resource "aws_secretsmanager_secret" "db" { name = "prod/db/password" }

# Application IAM can read this secret ARN; Terraform does not need to output the value.

output "db_secret_arn" { value = aws_secretsmanager_secret.db.arn }

4. Mark any unavoidable sensitive input or output with sensitive = true, but still treat the state backend as secret storage.

5. Verify S3 state encryption, IAM read restrictions, audit logs, and CI log redaction.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Infrastructure as Code (Terraform, Ansible) interview questions

← All Infrastructure as Code (Terraform, Ansible) questions