How to Handle Sensitive Data Securely in Terraform

Day 13 of my Terraform journey focused on one of the most important topics in real infrastructure work: secrets. Every serious deployment eventually needs sensitive values: database passwords API keys tokens TLS material provider credentials The challenge is not just using those secrets. The challenge is making sure they do not leak into places they should never be. Terraform makes infrastructure easy to define, but if you are careless with secrets, they can leak through your code, your terminal output, your Git history, and even your state file. This post is the guide I wish I had before learning this lesson. Why Secrets Leak in Terraform There are three major ways secrets leak in Terraform. If you understand these clearly, you will avoid most beginner and intermediate Terraform security mistakes. Leak Path 1: Hardcoded in .tf Files This is the most obvious mistake. Wrong resource "aws_db_instance" "example" { username = "admin" password = "super-secret-password" } Why this is bad: th