Passwords/Sensitive data in TfState files

Hello, I am not sure if I can ask for help in this forum, but I have a question.

I have “password” as one of the variables that has to be passed to the terraform script

I tried passing this password in 3 ways

  1. terraform apply -var password=abc
  2. In terraform.auto.tfvars
  3. By passing it as env variable -> TF_VAR_Password=abc

But in all these 3 cases, it gets stored in the tfstate file. Is there a way I can - not set - the password or anyother field for that matter in the tfstate file??


I tried passing it as an env variable without the TF_VAR and then reading it in the custom provider via os.LookupENV… and this works!! It doesnt store the password. But is there a nicer way to avoid storing the value in tfstate file

I also know there is something called remote state. wherein it stores the details at a remote place like s3, vault, etc… But that will need another subscription to say aws, or hashicorp, etc. Is there a way you do it perhaps easily without registering or buying anything else?

Hi @adi658,

Whether a value is stored in the state depends on how it is used rather than how it is passed in to Terraform. Any value you use in the arguments inside a resource or data block, along with any values exported by the resource type or data source, will always be in the state, so that they can be used for planning on future runs.

There are some specific places you can use values where they will not appear in the state:

  • Inside provider blocks
  • Inside provisioner blocks within resource blocks
  • Inside connection blocks within resource or provisioner blocks

As long as you only use var.password in one of the above contexts, it will not appear in the state snapshot.


Terraform Cloud offers free remote state storage, which is one free option though it does still require you to create a Terraform Cloud account.

There are several remote backends that can be used with infrastructure you run yourself, such as http, consul, and pg. The http backend gives the most flexibility since you can implement a custom HTTP application that recieves and stores the state snapshots however you like, including using your own encryption keys for encryption at rest.

1 Like

@apparentlymart :slight_smile: :slight_smile:
Awesome :slight_smile: I am just a beginner in writing the custom providers.

Thanks a lot. Yep, I declared the username, password as env variables and set them in provider, and it did not store the details in the terraform.tfstate file


Just a couple of questions ->
I am manually declaring the env variables right now using this in the linux box
export username=abc
export password=abc

And then in the go code, I am reading it like this
username := os.Getenv(“username”)
password := os.Getenv(“password”)

Is there a better way than this to

  1. to set env variables?
  2. to read them

2nd question
I am not able to read these values defined in the provider using the
d.Get(“password”).(string)
The terraform crashes!. But it works if i pass them as normal parameters through the command line (-var) or through auto.tfvars

Am i missing something