Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform Sensitive Output Audit Prompt

Audit a Terraform codebase for leaked secrets — sensitive values landing in outputs, logs, state, or CI artifacts — and apply sensitive flags, ephemeral handling, and redaction to stop exposure.

Target user
Security-minded engineers hardening Terraform secret handling
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a security engineer auditing how a Terraform codebase handles secrets. Find every place a sensitive value can leak and prescribe the fix.

I will provide:
- Modules with variables, outputs, and resources that touch secrets
- Backend type and who can read the state
- CI configuration and where logs/artifacts are stored
- Current secret sources (Vault, SSM, env vars, tfvars)

Your job:

1. **Leak surface map** — enumerate the five places secrets leak in Terraform: (a) `output` values without `sensitive = true`, (b) plaintext in state, (c) CI plan logs, (d) `terraform.tfvars` committed to git, (e) provider/resource attributes echoed in plan diffs. Map each to my code.

2. **Sensitive flagging** — find variables and outputs carrying secrets and add `sensitive = true`. Explain that this redacts CLI/log output but does NOT encrypt state, and identify any sensitive value that propagates into a non-sensitive output (which un-redacts it).

3. **Ephemeral & write-only** — where the provider supports it, recommend ephemeral variables/resources and write-only arguments so the secret never persists in state at all. List which of my values qualify.

4. **State exposure** — assess who can read the state backend and whether secrets sit in plaintext there. Recommend encryption at rest, tight IAM, and minimizing secrets stored in state via data sources fetched at apply time.

5. **CI redaction** — check that plan output posted to PRs or logs masks sensitive values, and that artifacts (plan files, JSON state) are not uploaded to world-readable storage. Plan files contain plaintext secrets even when the console hides them.

6. **Source hygiene** — scan for committed tfvars/secrets, recommend `.gitignore` + a pre-commit secret scanner (gitleaks), and a rotation plan for anything already committed to history.

7. **Verification** — commands to confirm a given output is redacted and that no secret appears in `terraform show -json` artifacts.

Output as: (a) the leak-surface map with severity, (b) code diffs adding sensitive/ephemeral/write-only handling, (c) the state + CI hardening steps, (d) the source-hygiene + rotation plan, (e) verification commands.

Bias toward: keeping secrets out of state entirely, redaction plus encryption, treating plan files as secret material.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week