In Terraform 0.14, you will be able to define a sensitive argument on variable blocks.
Setting a variable as sensitive prevents Terraform from showing its value in the plan or apply output, when that variable is used within a configuration.
Sensitive values are still recorded in the state, and so will be visible to anyone who is able to access the state data. For more information, see Sensitive Data in State.
A provider can define an attribute as sensitive, which prevents the value of that attribute from being displayed in logs or regular output. The sensitive argument on variables allows users to replicate this behavior for values in their configuration, by defining a variable as sensitive.
Define a variable as sensitive by setting the sensitive argument to true:
variable "user_information" {
type = object({
name = string
address = string
})
sensitive = true
}
resource "some_resource" "a" {
name = var.user_information.name
address = var.user_information.address
}
Using this variable throughout your configuration will obfuscate the value from display in plan or apply output:
Terraform will perform the following actions:
# some_resource.a will be created
+ resource "some_resource" "a" {
+ name = (sensitive)
+ address = (sensitive)
}
Plan: 1 to add, 0 to change, 0 to destroy.
In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:
# main.tf
resource "some_resource" "a" {
nested_block {
user_information = var.user_information # a sensitive variable
other_information = "not sensitive data"
}
}
# CLI output
Terraform will perform the following actions:
# some_resource.a will be updated in-place
~ resource "some_resource" "a" {
~ nested_block {
# At least one attribute in this block is (or was) sensitive,
# so its contents will not be displayed.
}
}
Cases where Terraform may disclose a sensitive variable
A sensitive variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if “foo” is a sensitive value: "Invalid value 'foo' for field"
If a resource attribute is used as, or part of, the provider-defined resource id, an apply will disclose the value. In the example below, the prefix attribute has been set to a sensitive variable, but then that value (“jae”) is later disclosed as part of the resource id:
# random_pet.animal will be created
+ resource "random_pet" "animal" {
+ id = (known after apply)
+ length = 2
+ prefix = (sensitive)
+ separator = "-"
}
Plan: 1 to add, 0 to change, 0 to destroy.
...
random_pet.animal: Creating...
random_pet.animal: Creation complete after 0s [id=jae-known-mongoose]
