By NHI Mgmt Group Editorial TeamDomain: Workload IdentitySource: InfisicalPublished July 10, 2026

TL;DR: Terraform can keep secrets out of code, but ordinary data sources still write fetched values into state files, while sensitive=true only hides them from display, according to Infisical. Ephemeral resources, short-lived identity, and hardened backends become the real control stack when infrastructure as code handles credentials.


At a glance

What this is: This is a practical guide to Terraform secrets management, showing that state files still expose secrets unless teams use ephemeral reads, hardened backends, and short-lived identity.

Why it matters: It matters because Terraform often sits inside broader IAM and NHI workflows, so leaked state can turn infrastructure automation into a durable secrets exposure path for both machine and human-admin credentials.

👉 Read Infisical's guide to Terraform secrets management and state file exposure


Context

Terraform secrets management is not just about keeping passwords out of code. The core governance problem is that Terraform state is designed to remember what exists, and that memory can include secrets in plaintext unless the workflow is deliberately changed.

For identity and access teams, that means the issue spans NHI, IAM, and CI identity at once. Terraform can carry cloud credentials, database passwords, and provider secrets, so the control question is where those values live, how they move, and whether they survive into state, logs, or shared backends.


Key questions

Q: Why do Terraform state files matter for secrets management?

A: State files matter because they can preserve sensitive values after the apply run ends. If a secret is used to create a resource, it may be captured in persisted metadata, which means the state file becomes part of the secret exposure surface and must be protected like a credential repository.

Q: Why do data sources still create secrets risk in Terraform?

A: Data sources are read-only from Terraform's point of view, but the values they return are still written into state so future plans remain stable. That means a secret fetched from an external system can become a durable copy in state even when it never appears in code.

Q: What breaks when secrets are managed with sensitive=true alone?

A: Sensitive=true prevents accidental display in plans, outputs, and logs, but it does not encrypt state or stop Terraform from storing the underlying value. Teams that rely on it alone still end up with plaintext secrets in state files, remote backends, and local copies.

Q: Who is accountable when a managed Terraform platform exposes secrets or misapplies policy?

A: The vendor may operate the service, but the organisation remains accountable for policy intent, access boundaries, and exception handling. If the platform stores or executes secrets, teams still need ownership for approval rules, periodic review, and offboarding of access that is no longer needed.


Technical breakdown

Why Terraform state exposes secrets by design

Terraform state is a reconciliation record, not a secrecy boundary. It stores resource attributes so Terraform can calculate the next plan, which means any value passed into a resource, generated during apply, or returned by a data source can be written to state in plaintext. The sensitive flag changes display behaviour only. It does not change storage, retrieval, or the fact that remote backends and local files are both copies of the same underlying data.

Practical implication: treat state as a sensitive data store and reduce which secrets ever reach it.

Ephemeral resources and runtime secret retrieval

Ephemeral resources change the secret lifecycle by making values available during a run without persisting them to state or the plan file. That is the decisive distinction from ordinary data sources, which are read-time lookups but still materialise their values into state for future diffs. In practice, this means Terraform can consume a secret at apply time while the durable record keeps only the reference path or secret name, not the payload.

Practical implication: use ephemeral reads for values needed only during execution, and reserve data sources for non-secret references.

Why CI identity matters as much as secret storage

Terraform often fails at the provider-credential layer before it fails at the application-secret layer. Long-lived client secrets in CI create standing access with a large blast radius, while OIDC-based job identity removes the need to store a reusable secret in the pipeline. That shifts the trust model from a durable credential to a short-lived attestation bound to repository, branch, and job context. The result is not just cleaner automation but less standing privilege in the path that provisions everything else.

Practical implication: move CI authentication to short-lived identity and remove persistent provider secrets from build systems.


Threat narrative

Attacker objective: The attacker seeks reusable credentials and privileged infrastructure access by harvesting secrets from Terraform state and adjacent automation paths.

  1. Entry happens when Terraform configuration, variables, or provider authentication introduce a secret into the run path, whether through hardcoded values, data source reads, or CI environment variables.
  2. Escalation occurs when those values are written into state, copied into remote backends, or reused across pipelines, creating a durable secret exposure surface beyond the original workflow.
  3. Impact follows when state is read by a developer, attacker, artifact store, or compromised backend, allowing unauthorized access to cloud accounts, databases, or downstream automation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

State-file secrecy is an assumption failure, not a display issue: Terraform secrets exposure persists because the platform assumes persistence is acceptable for reconciliation data. That assumption breaks when the stored object contains credentials, because state becomes a high-value secret repository rather than a configuration ledger. The implication is that teams must classify state as an identity-bearing asset, not just a deployment artifact.

Ephemeral secret handling creates a narrower identity boundary: The meaningful shift in this article is not that Terraform can now fetch secrets, but that some values can exist only during execution and never become durable records. That changes the governance model for NHI because the credential lifecycle now aligns with a single run, not with a long-lived file, which is closer to least exposure than traditional stateful workflows. Practitioners should treat this as a boundary change in how secrets are allowed to exist.

Continuous rotation without reference control still leaves latent exposure: Moving a secret into a manager helps only if the runtime path, state backend, and CI identity are all controlled together. Otherwise the secret moves from code to another persistence layer and the risk simply relocates. The operational lesson is that lifecycle control, state hardening, and short-lived identity must be managed as one governance chain.

Terraform secret management is really NHI lifecycle management: The article is about passwords and API keys, but the governance problem is service account and provider identity, plus the credentials those identities consume. That makes it a workload identity and access-lifecycle issue, not just a secrets tooling issue. Teams should align Terraform workflows with OWASP-NHI and NIST CSF expectations for access control, auditability, and removal of standing privilege.

Named concept, state persistence debt: Terraform creates state persistence debt when a secret must remain available to the automation but should not remain available to the record. That debt grows whenever teams use data sources or outputs to ferry sensitive values through a workflow that was designed to remember everything. The practical consequence is that secret management design has to be evaluated against the lifetime of the record, not only the lifetime of the run.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • That gap is why lifecycle and runtime controls need to be joined up. See Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance model behind rotation and offboarding.

What this signals

State persistence debt: Terraform teams should now treat secret exposure in state as a lifecycle problem, not a code hygiene problem. Once a secret has been written into a plan, output, or backend, the programme owns a durable copy that can outlive the run, the repository, and sometimes the operator. That is exactly the kind of persistence lifecycle controls were meant to remove.

The practical shift is toward short-lived identity, ephemeral retrieval, and backend hardening as one control plane. For practitioners, that means aligning infrastructure automation with the same access governance expectations already applied to service accounts and other NHIs, rather than assuming IaC tools are automatically safe because they are declarative.

The current pattern also aligns with broader secrets-sprawl concerns documented in The 2024 State of Secrets Management Survey: distribution, not just exposure, determines recovery time. Teams that can see where secrets move are better positioned to reduce blast radius before a leaked value becomes a wide access event.


For practitioners

  • Classify Terraform state as a secret-bearing asset Inventory every backend, local file, artifact store, and developer workstation that can read .tfstate. Treat those locations as protected data stores, not neutral build outputs.
  • Replace stateful secret reads with ephemeral retrieval Use ephemeral resources for values that only need to exist during plan or apply, and reserve data sources for non-secret metadata and lookup paths.
  • Remove standing CI credentials from Terraform pipelines Use short-lived OIDC-based identity for pipeline authentication so jobs do not depend on reusable client secrets or exported cloud keys.
  • Harden remote state backends before scaling automation Enable encryption, versioning, locking, and least-privilege access on the backend that stores state, because state will still contain some sensitive data in real environments.
  • Pass references, not payloads, into modules Give modules secret names, paths, or workspace identifiers instead of raw secret values, so module reuse does not multiply credential copies across code and state.

Key takeaways

  • Terraform can hide secrets from the screen while still writing them to state, which is why display controls are not enough.
  • Ephemeral resources, short-lived CI identity, and hardened backends are the controls that change the risk profile, not sensitive flags alone.
  • Terraform secrets management is really NHI lifecycle governance because the highest-risk objects are the credentials and state copies that survive the run.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Terraform state leakage maps to secret handling and overexposed credentials.
NIST CSF 2.0PR.AC-4Terraform provider and state access need least-privilege controls.
NIST SP 800-53 Rev 5IA-5The article centers on credential lifecycle and authenticator management.
NIST Zero Trust (SP 800-207)3.1Short-lived identity and continuous verification fit zero trust access to automation.
CIS Controls v8CIS-5 , Account ManagementTerraform automation depends on machine accounts and their lifecycle.

Treat every Terraform secret flow as an NHI lifecycle control and remove persistent credential storage.


Key terms

  • Terraform State: Terraform state is the record that links declared infrastructure code to the live resources actually running in the cloud. It is the mechanism that makes reconciliation, drift detection, and controlled change possible, and it becomes critical when existing resources are imported rather than recreated.
  • Ephemeral Resource: A cloud resource that exists briefly and may be created, changed, and deleted within a short operational window. These resources are common in serverless, autoscaling, and automation-heavy environments, and they challenge inventory, tagging, and compliance processes that assume longer-lived assets.
  • Sensitive value: A sensitive value is a Terraform marking that redacts display in plans, outputs, and logs. It does not encrypt the underlying data, prevent state storage, or change who can retrieve the value from backend copies, so it is useful hygiene but not a storage control.
  • Short-Lived Identity: A short-lived identity is a credential or identity assertion that exists only for a narrow task window and is automatically revoked or expires afterward. In NHI governance, it reduces standing privilege and limits the time available for misuse, while improving control over distributed access patterns.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step Terraform examples for moving from hardcoded secrets to runtime secret retrieval.
  • The exact behaviour of sensitive values, data sources, and ephemeral resources in state and plan files.
  • Practical backend hardening guidance for remote state storage, locking, and encryption.
  • Pipeline examples showing OIDC-based identity for Terraform and adjacent cloud access.

👉 Infisical's full post shows the Terraform examples, state file behaviour, and backend hardening details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org