Terraform 0.14: Suppressing Variable Values in CLI Output

Terraform
1

In Terraform 0.14, you will be able to define a sensitive argument on variable blocks.
Setting a variable as sensitive prevents Terraform from showing its value in the plan or apply output, when that variable is used within a configuration.

Sensitive values are still recorded in the state, and so will be visible to anyone who is able to access the state data. For more information, see Sensitive Data in State.

A provider can define an attribute as sensitive, which prevents the value of that attribute from being displayed in logs or regular output. The sensitive argument on variables allows users to replicate this behavior for values in their configuration, by defining a variable as sensitive.

Define a variable as sensitive by setting the sensitive argument to true:

variable "user_information" {
  type = object({
    name    = string
    address = string
  })
  sensitive = true
}

resource "some_resource" "a" {
  name    = var.user_information.name
  address = var.user_information.address
}

Using this variable throughout your configuration will obfuscate the value from display in plan or apply output:

Terraform will perform the following actions:

  # some_resource.a will be created
  + resource "some_resource" "a" {
      + name    = (sensitive)
      + address = (sensitive)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:

# main.tf

resource "some_resource" "a" {
  nested_block {
    user_information  = var.user_information # a sensitive variable
    other_information = "not sensitive data"
  }
}

# CLI output

Terraform will perform the following actions:

  # some_resource.a will be updated in-place
  ~ resource "some_resource" "a" {
      ~ nested_block {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

Cases where Terraform may disclose a sensitive variable

A sensitive variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if “foo” is a sensitive value: "Invalid value 'foo' for field"

If a resource attribute is used as, or part of, the provider-defined resource id, an apply will disclose the value. In the example below, the prefix attribute has been set to a sensitive variable, but then that value (“jae”) is later disclosed as part of the resource id:

  # random_pet.animal will be created
  + resource "random_pet" "animal" {
      + id        = (known after apply)
      + length    = 2
      + prefix    = (sensitive)
      + separator = "-"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

...

random_pet.animal: Creating...
random_pet.animal: Creation complete after 0s [id=jae-known-mongoose]
1 Like
3

Hi @pkolyvas thank you for this! Do you know if it is possible to set a sensitivity attribute on local values? By that I mean, I have some massive configuration strings built within a locals block, and all the lines are being printed.

4

Hi @justinTM,

Locals have no attributes of their own to set, they can only be assigned values. You can however change the sensitivity of values inline using the sensitive and nonsensitive functions in the configuration.

1 Like
5

thank you @jbardin ! someone has opened a PR to allow an optional replacement of the JSON attribute of the provider resource with a SHA256 hash of the JSON, which should suppress the (massive) JSON diffs in Terraform Plan :slight_smile: