Detailed Explanation:
Rationale for Correct Answer: HashiCorp recommends storing secrets in secure, purpose-built systems or mechanisms that avoid exposing sensitive values in plaintext or version control:
B. HashiCorp Vault is a dedicated secrets management solution designed to securely store and control access to sensitive data.
D. Environment variables (TF_VAR_) allow passing sensitive values at runtime without persisting them in configuration files or version control.
E. HCP Terraform sensitive variables are encrypted and hidden from logs and UI output, making them a secure option for managing secrets in Terraform Cloud/Enterprise environments.
These approaches align with Terraform best practices for secure secret management and protecting sensitive inputs in IaC workflows.
Analysis of Incorrect Options (Distractors):
A. Plaintext document on a shared drive is insecure and exposes secrets to unauthorized access.
C. terraform.tfvars committed to version control is explicitly discouraged because secrets would be stored in plaintext and tracked in Git history, creating a major security risk.
Key Concept: Secure handling of sensitive data in Terraform using Vault, environment variables, and sensitive input variables.
[Reference: Terraform Objective Domain: Manage Terraform Workspaces and Cloud, , , , , , , ]