Terraform: Feature request: ability to configure variables to mask in the output of terraform plan
When using TF in automated pipelines, the plan from terraform plan is logged in the output.
It would be nice if we can specify these sensitive variables to be masked so that the plan can be reviewed but not leak secrets.
I searched for mask secret but no relevant issues were found.
tonglil
All 4 comments
Hi @tonglil,
Terraform currently has some capabilities to mask sensitive values, but it is not fully-general.
As a user, you can mark _outputs_ as being sensitive using the sensitive = true argument.
Individual resource attributes can also be marked as sensitive by the _provider developer_, in which case they will be hidden from the plan output.
If there is a resource attribute you're using that accepts a sensitive value but is not marked as sensitive (doesn't show values as <sensitive> in the plan) then you could open an issue in the relevant provider repository (see the terraform-providers GitHub organization) and the maintainers of that provider may be able to mark it as such for a future version.
We do eventually plan to track sensitive values more comprehensively so that e.g. if you interpolate a sensitive attribute into another expression Terraform will treat that second result as sensitive too. That is not yet possible since we need to do some more work on Terraform Core to have enough information available to implement that, but it is a long-term goal that we are working towards as part of some current work to improve how Terraform represents configuration values internally.
apparentlymart
on 4 Nov 2017
cc @sbower
tonglil
on 6 Nov 2017
In Terraform v0.14.0 you can now mark input variables as being sensitive, which will cause Terraform to hide values derived from them when printing out the plan and other similar output. If you try that out and have feedback about it, please open a new feature request issue to discuss any additional use-cases that feature isn't covering.
apparentlymart
on 2 Dec 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Jan 2021
Related issues
larstobi
ยท
3Comments
jrnt30
ยท
3Comments
rnowosielski
ยท
3Comments
sprokopiak
ยท
3Comments
ketzacoatl
ยท
3Comments
Most helpful comment
Hi @tonglil,
Terraform currently has some capabilities to mask sensitive values, but it is not fully-general.
As a user, you can mark _outputs_ as being sensitive using the
sensitive = trueargument.Individual resource attributes can also be marked as sensitive by the _provider developer_, in which case they will be hidden from the plan output.
If there is a resource attribute you're using that accepts a sensitive value but is not marked as sensitive (doesn't show values as
<sensitive>in the plan) then you could open an issue in the relevant provider repository (see theterraform-providersGitHub organization) and the maintainers of that provider may be able to mark it as such for a future version.We do eventually plan to track sensitive values more comprehensively so that e.g. if you interpolate a sensitive attribute into another expression Terraform will treat that second result as sensitive too. That is not yet possible since we need to do some more work on Terraform Core to have enough information available to implement that, but it is a long-term goal that we are working towards as part of some current work to improve how Terraform represents configuration values internally.