HashiCorp Certified: Terraform Associate — Question 326

Which of the following is the safest way to inject sensitive values into a Terraform Cloud workspace?

Answer options

• A. Write the value to a file and specify the file with the -var-file flag
• B. Set a value for the variable in the UI and check the "Sensitive" check box
• C. Edit the state file directly just before running terraform apply
• D. Set the variable value on the command line with the -var flag

Correct answer: B

Explanation

The correct answer is B because marking a variable as 'Sensitive' in the UI ensures that its value is encrypted and not displayed in logs. Option A may expose sensitive data if the file is not handled securely, option C is risky as directly editing the state file can lead to corruption, and option D does not provide any protection for sensitive values as they will be visible in command-line history.