Hide sensitive information from terraform output

2 min read | by Jordi Prats

There are certain terraform outputs that can contain sensitive data, for example: Rendered helm values can contain sensitive data that we need to give to helm to be able to install the pods on our kubernetes cluster. Starting terraform 0.15 we can tell terraform which input and output variables are sensitives so it can hide them away from it's output.

For example, to set an output variable as sensitive we just need to add the sensitive attribute and set it to true:

output "helm_pet2cattle_values" {
  value     = module.pet2cattle.values
  sensitive = true
}

If you apply the terraform code it will show the variable redacted:

$ terraform apply

(...)

Outputs:

helm_pet2cattle_values = <sensitive>
web = "https://pet2cattle.com"

Even from the terraform output command:

$ terraform output
helm_pet2cattle_values = <sensitive>
web = "https://pet2cattle.com"

Yet we can retrieve it anyway if we request it explicitly:

$ terraform output helm_pet2cattle_values
tolist([
  <<-EOT
  image:
    repository: pet2cattle
    tag: 1.2.3
    pullPolicy: IfNotPresent
    pullSecrets: []
(...)

Som other times the sensitive data is neither an input nor an output variable. We can also instruct that certain data should be redacted from it's output using the sensitive() function.

This function takes any object and returns a copy of it marked as sensitive, so even if you output it's content since the object is already marked as sensitive, it will be redacted from any non explicit terraform output

Posted on 09/06/2021

Hide sensitive information from terraform output

Categories