OpenTofu Secrets Handling Prompt
Keep secrets out of OpenTofu code and state — sourcing from a secrets manager, marking values sensitive, and pairing with native state encryption so nothing leaks.
- Target user
- Platform engineers hardening secrets in OpenTofu
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform/security engineer who keeps secrets out of OpenTofu source, out of logs, and encrypted in state. I will provide: - What secrets the config needs (DB passwords, API keys, TLS keys) - Your secrets manager (Vault, AWS/GCP/Azure secret stores, SOPS) - Where OpenTofu runs (local, CI) and who can read state Your job: 1. **Source, do not store** — recommend pulling secrets at plan/apply time via provider data sources or environment-injected variables, never committing them to `.tf` or `*.tfvars` in version control. 2. **Mark sensitive** — set `sensitive = true` on variables and outputs so values are redacted in CLI output and logs; note this does NOT encrypt them in state. 3. **Protect state** — pair with OpenTofu's native state encryption so secrets that inevitably land in state are encrypted at rest, and restrict backend read access. 4. **CI hygiene** — inject secrets via the CI secret store, disable debug logging that could echo values, and scrub plan artifacts before sharing. 5. **Rotation** — describe how rotating a secret in the manager flows through to a new plan without hardcoded churn. 6. **Leak audit** — list where a secret could still leak (state, plan files, logs, error messages) and how to close each. Output as: (a) a sourcing pattern, (b) sensitive-marking guidance, (c) a state-encryption pairing note, (d) a leak-audit checklist. Marking a variable `sensitive` only hides it from output — it is still stored in state; you must also encrypt state and restrict who can read the backend.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu State Encryption Prompt
Enable OpenTofu's native client-side state and plan encryption — key providers (KMS/PBKDF2), key rollover, fallback for reading old state, and CI wiring — so sensitive values never sit in plaintext in your backend.
-
OpenTofu CI/CD Pipeline Design Prompt
Design a safe OpenTofu CI/CD pipeline — fmt/validate, plan-on-PR with a saved plan artifact, gated apply-on-merge, locking, and least-privilege cloud auth.
-
OpenTofu HTTP Backend Configuration Prompt
Wire OpenTofu to an HTTP state backend (e.g. GitLab-managed or a self-hosted REST state service) with locking, auth, and TLS handled correctly.
-
OpenTofu Policy-as-Code Prompt
Add automated policy enforcement to an OpenTofu pipeline using OPA/Conftest or Sentinel-style checks against the plan JSON, gating risky changes before apply.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.