How do I pass sensitive variable values when running a command locally

I have Terraform Cloud set up to store my state and manage my workspaces.

I need to import a resource into one of my resources, so I thought I’d try

terraform import <addr> <id>

However, I got a lot of warnings of the type:

Warning: Value for var.xyz unavailable

The value of variable "xyz" is marked as sensitive in the remote workspace.
This operation always runs locally, so the value for that variable is not
available.

I created an auto.tfvar file and tried

tf import -var-file=local.auto.tfvars <addr> <id>

again, no luck.

So, I get what the warnings are saying, but I can’t fathom a way to pass values in.

Any suggestions?

2 Likes

Hi Dan, TF Support Engineer here. While I’m not usually on community forums, your comment was brought to my attention by a customer who has encountered this same issue. I have reported this for triage, and wanted to let you know that you’re not alone. If you’d like, you can file an issue on Github and refer to internal ID 1180196061715870 to tie everything together, but regardless we’re investigating.

In the meantime, because the behavior leads to the variables being “set” but with null or empty values, there is no way to override the empty value coming from the remote backend. The provider has to be configured in another way, such as statically setting the values.

If you find yourself importing a lot, you may wish to make the provider argument assignments with sensitive values conditional in some way, such that you can switch back and forth between “local” and “remote” values, such as creating a bool that can be toggled, conditionally assign null to the provider arguments, and instead configure the provider credentials in environment variables.