When it comes to handling secrets' values with Terraform, there are some recommendations that you should follow.
- Do not store plain text secrets in your codebase and use a Secret Management Tool instead
- Protect your Terraform state using encryption and least privileges principles
The very first thing to do is to protect your Terraform state.
Keep in mind that Terarform state is a sensitive file. It contains all the information about your infrastructure, including data sources. It's a good practice to store it in a secure place. You can use a private backend storage with very limited access to the only people / services that need to access it (e.g. Terraform Cloud, Terraform Enterprise, S3, GCS, etc.).
Also, you should use encryption on your backend storage since most of them support it.
If your backend storage does not support encryption, then, maybe you should considerer using a third-party encryption tool like sops or even use a Secret Management Tool (c.f. bellow for explanations).
Use a random_password resource
This resource looklike the random_string one but the difference is that the result is treated as sensitive and will not be displayed in the console output.
resource "random_password" "password" {
length = 16
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
}
resource "aws_db_instance" "example" {
instance_class = "db.t3.micro"
allocated_storage = 64
engine = "mysql"
username = "someone"
password = random_password.password.result
}You can store your secrets' values in a Secret Management Tool (e.g. AWS Secrets Manager, HashiCorp Vault, etc.) and then use a data resource to retrieve them.
As we already mentionned, the data resource's value is treated as sensitive and will not be displayed in the console output BUT will be present in your state file.