Many developers (myself included) assume terraform.tfvars is a secure place to store secrets.
Some even think: "Just add it to .gitignore and you’re safe."
But here’s the truth:
.tfvars is just a plain input file no encryption, no protection, no magic.
.tfvars is not secure
Myth Reality
It's a secret file ❌ It's plaintext
It's safe if added to .gitignore ❌ It still exists on disk
It's okay for passwords ❌ Only if leaking is okay
What is it actually for?
Convenience.
It helps pass variables without writing long -var flags every time.
Great for dev/test, but never meant for storing secrets.
Bottom line:
.tfvars is useful just don’t treat it like a vault.
Top comments (0)