保護DataHogo
Security Encyclopedia/Infrastructure as Code
criticalCWE-312OWASP A02:2021

Terraform State Exposed

Your terraform.tfstate file is committed to your repository or stored in an unencrypted, publicly accessible location — it contains every secret and resource ID in your infrastructure.

How It Works

Terraform state files are a complete snapshot of your infrastructure, including all resource IDs, all outputs, and — critically — all sensitive values like database passwords, API keys, and TLS certificates in plaintext. Committing terraform.tfstate to git is essentially committing every secret in your infrastructure. Even a private S3 bucket without encryption is a risk if the bucket is ever misconfigured.

Vulnerable Code
# BAD: storing state locally (which gets committed to git)
# terraform.tf — no backend configured, state stays in terraform.tfstate
terraform {
  required_providers {
    aws = { source = "hashicorp/aws" }
  }
  # No backend block — state is local and likely committed
}
Secure Code
# GOOD: remote state in encrypted S3 with state locking
terraform {
  backend "s3" {
    bucket         = "my-terraform-state-private"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true  # AES-256 encryption at rest
    dynamodb_table = "terraform-state-lock"  # prevents concurrent runs
  }
}

Real-World Example

In 2023, researchers scanning public GitHub repositories found over 1,000 terraform.tfstate files containing active AWS access keys, RDS passwords, and Stripe secret keys. Many were from startups that had simply run terraform init in their project root without configuring a remote backend.

How to Prevent It

  • Always configure a remote backend (S3 + DynamoDB for AWS, GCS for GCP) with encryption enabled
  • Add terraform.tfstate, terraform.tfstate.backup, and .terraform/ to your .gitignore immediately
  • Audit your git history for committed state files: git log --all --full-history -- '**/*.tfstate'
  • If state was ever committed, rotate all secrets found in it — they're permanently in git history
  • Use Terraform Cloud or Atlantis for collaborative state management with access controls

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Terraform Provider Credentials Hardcoded

critical

AWS, GCP, or Azure credentials are hardcoded in your .tf files instead of using environment variables or instance roles, committing cloud access keys to version control.

CWE-798OWASP A02:2021

Kubernetes Privileged Container

high

Your Kubernetes pod runs with securityContext.privileged: true, giving the container full access to the host kernel and effectively bypassing container isolation.

CWE-269OWASP A05:2021

Kubernetes Default Service Account

medium

Pods running with the default service account inherit cluster-level RBAC permissions that are often far more powerful than the workload needs, enabling lateral movement if the pod is compromised.

CWE-269OWASP A01:2021

Helm Chart Secrets in Values

high

Passwords, API keys, and other secrets are hardcoded directly in Helm values.yaml files, which get committed to version control and exposed to anyone with repository access.

CWE-798OWASP A07:2021