Interview › Infrastructure as Code (Terraform, Ansible)
Why does the state file potentially contain sensitive values, and how do you protect it?
Infrastructure as Code (Terraform, Ansible) · Intermediate level
Answer
State can contain sensitive values because providers must record enough information to detect drift and update resources. Marking an output sensitive hides it from CLI display, but the raw state may still contain it. Protect state with encryption, access controls, versioning, audit logs, short-lived credentials, and minimal sharing.
Technical explanation
Encrypt state at rest and in transit, and enable object versioning for recovery.
Limit state read permissions because read can be as sensitive as write.
Scrub CI logs and artifacts so plans and outputs do not expose secret material.
Keep Terraform's ownership boundary clear: one state should own a resource or field, and other tools should consume published outputs instead of modifying it.
Use fmt, validate, linting, policy checks, plan review, and state locking before production applies.
Design for small blast radius by splitting state around lifecycle, permissions, and recovery boundaries.
Hands-on example
1. Harden secret handling for: Why does the state file potentially contain sensitive values, and how do you protect it?
2. Bad pattern: passing plaintext database passwords as Terraform variables and outputting them.
3. Better pattern: create or reference secret metadata and let runtime fetch the value:
resource "aws_secretsmanager_secret" "db" { name = "prod/db/password" }
# Application IAM can read this secret ARN; Terraform does not need to output the value.
output "db_secret_arn" { value = aws_secretsmanager_secret.db.arn }
4. Mark any unavoidable sensitive input or output with sensitive = true, but still treat the state backend as secret storage.
5. Verify S3 state encryption, IAM read restrictions, audit logs, and CI log redaction.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Infrastructure as Code (Terraform, Ansible) interview questions
- What is Infrastructure as Code, and what problems does it solve over click-ops?
- What is the difference between declarative and imperative IaC, and where do Terraform and Ansible fall?
- What is the difference between configuration management and provisioning?
- What is Terraform, and what is the core plan/apply workflow?
- What does terraform init do?
- What is the Terraform state file, and why is it critical?
- Why should state be stored remotely, and what backend would you use on AWS?
- What is state locking, and why does it matter for teams?