In HCP Terraform (Terraform Cloud), is it possible to run custom scripts to sanitize the plan output before allowing it to be viewable? It seems to be possible for a plan to leak sensitive values if a provider raises an error and logs the sensitive value in the error message.
One option seems to be using HCP Terraform Agents with a pre-plan run hook. It could run a plan, and if any sensitive values are detected in the output, it could sanitize the output before showing it, then exit with an error to prevent the actual plan from running and exposing those values.
However, we aren’t sure if plans can be run in pre-plan run hooks, or if there is a simpler solution to this. Thank you!