Subscribe to the Non-Human & AI Identity Journal
Home FAQ Architecture & Implementation Patterns How should teams keep OpenTofu secrets out of…
Architecture & Implementation Patterns

How should teams keep OpenTofu secrets out of state files?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Architecture & Implementation Patterns

Use runtime secret retrieval patterns that fetch values only during execution, then discard them before the run completes. Ephemeral resources are the strongest option because they avoid persisting sensitive values in state, while state encryption should remain a secondary safeguard rather than the primary control.

Why This Matters for Security Teams

OpenTofu state files are not just deployment metadata. They often become an accidental vault for API keys, tokens, and service credentials when modules or providers resolve sensitive values too early. Once a secret lands in state, it can be copied into backups, shared across CI systems, or exposed to anyone with read access to the backend. That is why state encryption is helpful but not sufficient.

The stronger control is to avoid persistence altogether by retrieving secrets at runtime and discarding them before the run ends. This aligns with the guidance in the OWASP Non-Human Identity Top 10, which treats machine credentials as high-value targets that should be tightly scoped and short-lived. It also reflects the operational reality documented in the State of Secrets Sprawl 2026, where secrets leakage is no longer confined to source code and often spreads into build and automation systems.

Teams usually get this wrong by assuming encrypted state is equivalent to safe state. In practice, many security teams encounter secret exposure only after a backend snapshot, a plan artifact, or a CI log has already been copied outside the intended trust boundary, rather than through intentional review.

How It Works in Practice

The safest pattern is to design OpenTofu workflows so that secrets are fetched only when needed, used in memory, and never written into attributes that the provider persists. That usually means preferring runtime secret retrieval from a dedicated secret manager, passing ephemeral values into provisioning steps, and avoiding data sources or outputs that echo credentials back into state. For sensitive integrations, current guidance suggests using ephemeral resources or short-lived credentials over static variables whenever the provider supports that model.

In practical terms, teams should separate identity, retrieval, and application:

  • Use workload identity or short-lived federation to authenticate the OpenTofu runner to the secret source.
  • Fetch the secret at execution time, not during code rendering or plan generation.
  • Inject the secret only into the step that requires it, then clear it before the run completes.
  • Avoid persisting secret-bearing attributes in outputs, locals, or state-backed metadata.
  • Treat state encryption as a defense in depth control, not the primary secret-handling mechanism.

This approach is reinforced by NHIMG research on the Guide to the Secret Sprawl Challenge, which shows how easily secrets spread once they are reused across automation layers. It also maps cleanly to the Ultimate Guide to NHIs, where static secrets are contrasted with dynamic secrets that reduce dwell time and exposure. For teams operationalising this in infrastructure code, the lesson is simple: the fewer places a credential exists, the less there is to protect, rotate, and audit.

These controls tend to break down when a provider only accepts a credential as a plain-text argument and then stores it back into state or when a module is built to output the secret for downstream reuse.

Common Variations and Edge Cases

Tighter secret handling often increases implementation complexity, requiring organisations to balance runtime safety against module simplicity and developer ergonomics. That tradeoff matters because not every OpenTofu provider supports ephemeral patterns equally well, and there is no universal standard for secret suppression in state across the ecosystem yet.

One common edge case is legacy modules that were designed to manage both infrastructure and credentials in the same workflow. In those environments, teams may need to refactor the module so it consumes a reference to a secret rather than the secret itself. Another edge case is remote state sharing across multiple pipelines: even if the backend is encrypted, broad read permissions can still expose sensitive values to operators, automation, and support processes. The safer approach is to minimise what enters state in the first place and restrict backend access separately.

Teams should also be careful with plan files, logs, and drift tooling. A secret removed from state can still leak through debugging output or cached artifacts if the pipeline is not configured to suppress sensitive values end to end. Current best practice is evolving toward short-lived credentials, strict output hygiene, and explicit destroy-time cleanup, especially in CI/CD environments where artifacts are retained longer than the deployment itself. The need for that discipline is consistent with NHIMG’s CI/CD pipeline exploitation case study, which shows how automation layers often become the real exposure point.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers secret lifecycle risk when credentials persist in automation state.
NIST CSF 2.0PR.AA-01Supports strong identity and access handling for secret retrieval paths.
NIST AI RMFRuntime secret control supports governance of automated, context-driven systems.

Treat secret exposure as an AI and automation risk to manage through runtime controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org