Terraform: A terraform refresh outputs sensitive variables unredacted

Created on 8 Nov 2018 · 3Comments · Source: hashicorp/terraform

Terraform Version

Terraform v0.11.10

Terraform Configuration Files

output "var" {
  sensitive = true
  value     = ${var.sensitive_var}
}

Expected Behavior

A terraform refresh should redact sensitive outputs with <sensitive> displayed in place of their value like a terraform apply would do.

Although this behavior is stated in the documentation as already implemented. It's not the behavior that I'm experiencing.

When outputs are displayed on-screen following a terraform apply or terraform refresh, sensitive outputs are redacted, with <sensitive> displayed in place of their value.

terraform apply
[...]
Outputs:
var = <sensitive>

terraform refresh
[...]
Outputs:
var = <sensitive>

Actual Behavior

A terraform refresh outputs sensitive variables unredacted.

terraform apply
[...]
Outputs:
var = <sensitive>

terraform refresh
[...]
Outputs:
var = the value unredacted

Steps to Reproduce

(with a terraform configuration containing at least one sensitive output variable)

terraform init

terraform apply

terraform refresh

References

We can see the sensitive check in the apply command but not in the refresh command.
https://github.com/hashicorp/terraform/blob/master/command/apply.go#L376
https://github.com/hashicorp/terraform/blob/master/command/refresh.go

bug cli

Source

Platou

👍12

Most helpful comment

I can reproduce it:

The refreshed state variable contains the sensitive parameter for example:

...
"outputs": {
                "ip": {
                    "sensitive": true,
                    "type": "string",
                    "value": "100.24.101.63"
                }
            },
...

but the docs say that on refresh it should be redacted:

https://www.terraform.io/docs/configuration/outputs.html#sensitive-outputs

theodesp on 8 Nov 2018

👍2

All 3 comments

I can reproduce it:

The refreshed state variable contains the sensitive parameter for example:

...
"outputs": {
                "ip": {
                    "sensitive": true,
                    "type": "string",
                    "value": "100.24.101.63"
                }
            },
...

but the docs say that on refresh it should be redacted:

https://www.terraform.io/docs/configuration/outputs.html#sensitive-outputs

theodesp on 8 Nov 2018

👍2

Hello! :robot:

This issue relates to an older version of Terraform that is no longer in active development, and because the area of Terraform it relates to has changed significantly since the issue was opened we suspect that the issue is either fixed or that the circumstances around it have changed enough that we'd need an updated issue report in order to reproduce and address it.

If you're still seeing this or a similar issue in the latest version of Terraform, please do feel free to open a new bug report! Please be sure to include all of the information requested in the template, even if it might seem redundant with the information already shared in _this_ issue, because the internal details relating to this problem are likely to be different in the current version of Terraform.

Thanks!

hashibot on 28 Aug 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.