How to use terraform's nonsensitive() function

2 min read

Starting terraform 0.15 variables can be marked as sensitive, so it won't appear in plain text as a terraform output unless we explicitly request them. But we can also make the variable as non sensitive using the nonsensitive() function

We can take a look as this nonsensitive() function example:

We are taking a variable that it's marked as sensitive:

variable "sensitive_string" {
  type      = string
  sensitive = true
}

And we are copying it to a local variable using the nonsensitive() function and outputting them:

locals {
  not_so_sensitive = nonsensitive(var.sensitive_string)
}

output "sensitive_str" {
  value = var.sensitive_string
  sensitive = true
}


output "nonsensitive_str" {
  value = local.not_so_sensitive
}

If we execute a terraform plan (variable value is coming from the terraform.tfvars) we will be able to see the contents of the variable:

$ terraform plan

Changes to Outputs:
  + nonsensitive_str = "super-duper-secret"
  + sensitive_str    = (sensitive value)

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

Obviously, we shouldn't so something like this unless we transform it in some way that it is no longer sensitive, for example, hashing it:

locals {
  not_so_sensitive = nonsensitive(sha256(var.sensitive_string))
}

Also bear in mind that it will return an error if you try to mark as nonsensitive a that's already marked as nonsensitive or haven't ever been marked as sensitive:

$ terraform plan ╷ │ Error: Invalid function argument │ │ on main.tf line 2, in locals: │ 2: not_so_sensitive = nonsensitive(nonsensitive(var.sensitive_string)) │ ├──────────────── │ │ var.sensitive_string has a sensitive value │ │ Invalid value for "value" parameter: the given value is not sensitive, so this call is redundant. ╵ ```


Posted on 07/10/2021

Categories