Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: ability to configure variables to mask in the output of terraform plan #16554

Closed
tonglil opened this issue Nov 3, 2017 · 4 comments
Closed

Feature request: ability to configure variables to mask in the output of terraform plan #16554

tonglil opened this issue Nov 3, 2017 · 4 comments
Labels
cli enhancement
Milestone
v0.14.0

Comments

@tonglil
Copy link

tonglil commented Nov 3, 2017

When using TF in automated pipelines, the plan from terraform plan is logged in the output.

It would be nice if we can specify these sensitive variables to be masked so that the plan can be reviewed but not leak secrets.

I searched for mask secret but no relevant issues were found.
@apparentlymart
Copy link
Contributor

apparentlymart commented Nov 3, 2017
edited
Loading

Hi @tonglil,

Terraform currently has some capabilities to mask sensitive values, but it is not fully-general.

As a user, you can mark outputs as being sensitive using the sensitive = true argument.

Individual resource attributes can also be marked as sensitive by the provider developer, in which case they will be hidden from the plan output.

If there is a resource attribute you're using that accepts a sensitive value but is not marked as sensitive (doesn't show values as <sensitive> in the plan) then you could open an issue in the relevant provider repository (see the terraform-providers GitHub organization) and the maintainers of that provider may be able to mark it as such for a future version.

We do eventually plan to track sensitive values more comprehensively so that e.g. if you interpolate a sensitive attribute into another expression Terraform will treat that second result as sensitive too. That is not yet possible since we need to do some more work on Terraform Core to have enough information available to implement that, but it is a long-term goal that we are working towards as part of some current work to improve how Terraform represents configuration values internally.

@tonglil
Copy link
Author

tonglil commented Nov 6, 2017

cc @sbower

@lkysow lkysow mentioned this issue Jul 4, 2018
Open
@caryyu caryyu mentioned this issue Feb 28, 2019
Closed
@pkolyvas pkolyvas mentioned this issue Dec 2, 2019
Closed
@jgiannuzzi jgiannuzzi mentioned this issue Jun 23, 2020
Open
@pselle pselle added this to the v0.14.0 milestone Oct 28, 2020
@apparentlymart
Copy link
Contributor

In Terraform v0.14.0 you can now mark input variables as being sensitive, which will cause Terraform to hide values derived from them when printing out the plan and other similar output. If you try that out and have feedback about it, please open a new feature request issue to discuss any additional use-cases that feature isn't covering.

@ghost
Copy link

ghost commented Jan 2, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked as resolved and limited conversation to collaborators Jan 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
cli enhancement
Projects
None yet
Milestone
v0.14.0
Development

No branches or pull requests
3 participants
@apparentlymart @pselle @tonglil