website: warning that plan files are insecure

2014-07-25 21:42:06 -07:00 · 2014-07-25 21:42:06 -07:00 · a03af7809c
parent d5049b65da
commit a03af7809c
1 changed files with 16 additions and 1 deletions
--- a/website/source/docs/commands/plan.html.markdown
+++ b/website/source/docs/commands/plan.html.markdown
@ -25,7 +25,10 @@ The command-line flags are all optional. The list of available flags are:

 * `-no-color` - Disables output with coloring.

-* `-out=path` - The path to save the generated execution plan.
+* `-out=path` - The path to save the generated execution plan. This plan
+  can then be used with `terraform apply` to be certain that only the
+  changes shown in this plan are applied. Read the warning on saved
+  plans below.

 * `-refresh=true` - Update the state prior to checking for differences.

@ -38,3 +41,15 @@ The command-line flags are all optional. The list of available flags are:
   a file. If "terraform.tfvars" is present, it will be automatically
   loaded if this flag is not specified.

+## Security Warning
+
+Saved plan files (with the `-out` flag) encode the configuration,
+state, diff, and _variables_. Variables are often used to store secrets.
+Therefore, the plan file can potentially store secrets.
+
+Terraform itself does not encrypt the plan file. It is highly
+recommended to encrypt the plan file if you intend to transfer it
+or keep it at rest for an extended priod of time.
+
+Future versions of Terraform will make plan files more
+secure.