Explanation
Sensitive attributes such as passwords and API tokens should not be available in your templates, especially in a plaintext form. You can declare variables to hold the secrets, assuming you can provide values for those variables in a secure fashion. Alternatively, you can store these secrets in a secure secret store, such as AWS KMS.
NOTE: It is also recommended to store your Terraform state in an encrypted form.
Insecure Example
The following example will fail the GEN002 check.
locals {
password = "p4ssw0rd"
}
resource "evil_corp" "bad_example" {
root_password = local.password
}Secure Example
The following example will pass the GEN002 check.
variable "password" {
description = "The root password for our VM"
type = string
}
resource "evil_corp" "good_example" {
root_password = var.password
}