Sensitive Data Filtering
Protect secrets and sensitive fields during state uploads.
Sensitive data filtering helps prevent secrets from appearing in Cora. When enabled, the CLI and backend omit configured attributes before data is stored.
What gets filtered
Cora automatically filters common sensitive fields including:
- Passwords and credentials
- API keys and access tokens
- Private keys and certificates
- Connection strings with embedded secrets
How filtering works
Terraform marks certain resource attributes as sensitive in provider schemas. Cora respects these markers and omits values before storing state. Additionally, Cora scans for common patterns like password, secret, api_key, and private_key in attribute names and excludes them from uploads.
Enabling filtering
Filtering is enabled by default for all uploads. No additional configuration is required.
Best practices
- Mark sensitive variables as
sensitive = truein your Terraform configuration. - Use Terraform's native
sensitiveattribute on outputs and variables. - Review your state with
terraform state showbefore uploading to verify what will be sent. - Consider using a secrets manager (AWS Secrets Manager, HashiCorp Vault) to keep secrets out of state entirely.
For additional security, you can configure your account to require encrypted state uploads. Contact [email protected] to enable this feature.
Next steps
- Create an API token for secure uploads.
- Set up CI uploads with proper secret management.
- Review workspace organization to isolate environments.