How to get redacted JSON plan


I’m building a feature that requires me to process the JSON plan of a workspace run. I’ve been successfully fetching it with GET<PLAN_ID>/json-output. However this has failed for a customer who has a Team token with the View all workspaces permission. The customer reports that the endpoint returns a 404, but the redacted output endpoint (with the same plan ID) succeeds: GET<PLAN_ID>/json-output-redacted. The customer does not want to make a highly privileged token available to my feature, so he has requested that I work with the redacted plan instead.

In investigating whether I could switch to the redacted plan’s endpoint, I discovered that its output is 10,000 times as large as the vanilla plan. I also noticed that this endpoint is not documented in the Plan API Docs. What’s going on? What is the proper way to get a redacted JSON plan output?

1 Like

I’m in a similar situation where I would like developers that don’t have administrator access to be able to run scripts that can inspect the redacted plan. the json-output-redacted endpoint seems promising, but there is no documentation.

The likely reason this endpoint is undocumented is that it is intended for internal use by terraform plan. To verify this, you can run TF_LOG=TRACE terraform plan. You should observe output similar to the following:

2024-06-14T13:56:03.490+0200 [DEBUG] performing request: method=GET url=

The large response size stems from the inclusion of the full JSON schema, analogous to what you would receive from the json-schema endpoint. If your requirement is limited to resource_changes, the output from the json-output-redacted endpoint is identical to that from the json-output endpoint. However some other fields that would usually also be in the output are missing.

To exclude the JSON schema from the response, you can pipe the output through jq 'del(.provider_schemas)'.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.