Terraform Import with Remote Execution not reading Sensitive Variables


I have a terraform project working fine with remote execution on terraform cloud and 6 sensitive variables set up. I understand that the import command only runs locally, and for that reason the user must provide the values for the sensitive variables, but I’m having trouble to do so.

The error that I get when running import is: “The value of variable “sp_client_id” is marked as sensitive in the remote workspace. This operation always runs locally, so the value for that variable is not available.”

So I proceed to create a file called “terraform.tfvars” and re-run the import command with the flag “-var-file=terraform.tfvars”, only to obtain the same error…

I confirmed that the file exist and that its content is correct by running cat commands from the same directory that I’m running import, nothing seems out of place. I also attempt to set the value of variable sp_client_id by using the flag -var ‘sp_client_id=“MY-SENSITIVE-VALUE”’, but again…same error…

So my question is: What is the correct way of providing sensitive variable values for a terraform import command?

Thanks, Ernani

Hello, and welcome to the forum!

Indeed, sensitive variables are only available in the remote execution context and an import operation always executes locally, so you’ll have to provide that sensitive value yourself.

A current caveat is that terraform.tfvars is actually reserved by the remote environment, and your provided file is overwritten rather silently. Instead, place your values in a *.auto.tfvars file and that should work.

Stay tuned, as we’re currently looking at enhancements in this particular area!