GEN003 - Potentially sensitive data stored in block attribute.


Sensitive attributes such as passwords and API tokens should not be available in your templates, especially in a plaintext form. You can declare variables to hold the secrets, assuming you can provide values for those variables in a secure fashion. Alternatively, you can store these secrets in a secure secret store, such as AWS KMS.

NOTE: It is also recommended to store your Terraform state in an encrypted form.

Insecure Example

The following example will fail the GEN003 check.

resource "evil_corp" "bad_example" {
	root_password = "p4ssw0rd"

Secure Example

The following example will pass the GEN003 check.

variable "password" {
  description = "The root password for our VM"
  type        = string

resource "evil_corp" "good_example" {
	root_password = var.password