2 min read | by Jordi Prats
Starting terraform 0.15 variables can be marked as sensitive, so it won't appear in plain text as a terraform output unless we explicitly request them. But we can also make the variable as non sensitive using the nonsensitive() function
We can take a look as this nonsensitive() function example:
We are taking a variable that it's marked as sensitive:
variable "sensitive_string" {
type = string
sensitive = true
}
And we are copying it to a local variable using the nonsensitive() function and outputting them:
locals {
not_so_sensitive = nonsensitive(var.sensitive_string)
}
output "sensitive_str" {
value = var.sensitive_string
sensitive = true
}
output "nonsensitive_str" {
value = local.not_so_sensitive
}
If we execute a terraform plan (variable value is coming from the terraform.tfvars) we will be able to see the contents of the variable:
$ terraform plan
Changes to Outputs:
+ nonsensitive_str = "super-duper-secret"
+ sensitive_str = (sensitive value)
You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
Obviously, we shouldn't so something like this unless we transform it in some way that it is no longer sensitive, for example, hashing it:
locals {
not_so_sensitive = nonsensitive(sha256(var.sensitive_string))
}
Also bear in mind that it will return an error if you try to mark as nonsensitive a that's already marked as nonsensitive or haven't ever been marked as sensitive:
$ terraform plan ╷ │ Error: Invalid function argument │ │ on main.tf line 2, in locals: │ 2: not_so_sensitive = nonsensitive(nonsensitive(var.sensitive_string)) │ ├──────────────── │ │ var.sensitive_string has a sensitive value │ │ Invalid value for "value" parameter: the given value is not sensitive, so this call is redundant. ╵ ```
Posted on 07/10/2021