How can I pass credentials in Terraform?

Solution for How can I pass credentials in Terraform?
is Given Below:

I’ve got 2 options to pass creds to terraform provider:

  1. Setup ENV variables like FOO_PROVIDER_USERNAME & FOO_PROVIDER_PASSWORD. Update: and read them from ENV in a source code of a provider so there’s no username / password vars in *.tf files.
  2. Set it explicitly in a provider:
provider "foocloud" {
  username = "[email protected]"
  password = "coolpass"
}

Shall I pick #1 or #2? My concern about #2 is that those username / password might be saved to a state file which is a security concern.

EDIT: this is typically for managing secrets in resources:

A few weeks ago, I came across this great article by Yevgeniy Brikman:

https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1

Out of the two options you mention, go with option 1 (like you said, option 2 will write them to the state file) but you should set the variables as sensitive.

Example:

# main.tf

resource "foocloud" {
  name     = "foobar"
  
  username = var.username
  password = var.password
}

# variables.tf

variable "username" {
  description = "foobar"
  type        = string
  sensitive   = true
}

variable "password" {
  description = "foobar"
  type        = string
  sensitive   = true
}

# command line or in text file

export TF_VAR_username=foo
export TF_VAR_password=bar

EDIT: in the case of authentication to cloud providers such as AWS you can use the credentials files among other options, as explained here:

https://blog.gruntwork.io/authenticating-to-aws-with-the-credentials-file-d16c0fbcbf9e