Question 16 - Terraform-Associate-003 Real Exam Questions [Jan 2026 Update]

Q: 16

[Read, Generate, and Modify Configurations] You're building a CI/CD (continuous integration/continuous delivery) pipeline and need to inject sensitive variables into your Terraform run. How can you do this safely?

Options

Correct Answer:

Explanation

In a CI/CD environment, sensitive data such as API keys, passwords, or certificates should never be stored in version control. The safest method among the choices is to inject these variables at runtime. The -var command-line flag allows you to pass a variable value directly to the terraform apply or terraform plan command. In a CI/CD pipeline, the value for this flag would be sourced from a secure secret store (e.g., HashiCorp Vault, AWS Secrets Manager, or the CI/CD platform's native secret management) and passed to the Terraform process, ensuring the secret is never hardcoded in the configuration files.

Why Incorrect

A. Copy the sensitive variables into your Terraform code

This is highly insecure as it hardcodes secrets into version-controlled files, exposing them to anyone with repository access.

B. Store the sensitive variables in a securevarS.tf file

A filename does not confer security. If this file is committed to the repository, it is just as insecure as hardcoding variables elsewhere.

C. Store the sensitive variables as plain text in a source code repository

This is a major security anti-pattern and directly contradicts the goal of handling sensitive variables safely.

References

1. HashiCorp Terraform Documentation

"Input Variables - Assigning Values to Root Module Variables": This page details the various methods for setting input variables. It lists command-line flags as a primary method: "To specify individual variables on the command line

use the -var option." This establishes -var as a standard mechanism for runtime injection.

Source: HashiCorp

"Input Variables"

Terraform Documentation

https://developer.hashicorp.com/terraform/language/values/variables#assigning-values-to-root-module-variables

Section: "On the Command Line".

2. HashiCorp Terraform Documentation

"Running Terraform in Automation": This guide provides best practices for using Terraform in CI/CD. It explicitly warns against storing secrets in version control and recommends injecting them at runtime. While it prefers environment variables (TFVAR...)

it acknowledges command-line flags as a valid method.

Source: HashiCorp

"Running Terraform in Automation"

Terraform Documentation

https://developer.hashicorp.com/terraform/cli/run/automation

Section: "Variable and Credential Management". The document states

"Do not save plain-text credentials in your VCS... You can set input variables from a file (-var-file) or the command line (-var)..." This directly contrasts the insecure methods (A

C) with the secure runtime injection method (D).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE