Hide sensitive values when showing stored plan

[alisdair]

Current Terraform Version

Terraform v0.15.0-dev
on darwin_amd64

Use-cases

The CLI output of terraform plan hides sensitive values from the diff display, in order to prevent accidental display of sensitive information. At the moment, storing the plan in a file and later rendering it does not behave in the same way, and sensitive values are displayed:

It would be useful to add support for sensitive value hiding for workflows which store a plan artifact for later use.

Similarly extending the JSON plan file format to include this information would allow building tools to display stored plans while still obscuring sensitive values.

Note that I do not consider this a security issue, as this is purely a UI issue—storing sensitive values in the plan file is expected.

Proposal

I think the underlying issue is that the plan file does not currently include information about sensitive values, so Terraform cannot hide sensitive values when reading a stored plan.

Proposals:

• Extend the binary plan file format to include enough information to determine which values are sensitive when later displaying it with terraform show my.plan
• Update terraform show if necessary to hide those values, so that terraform plan and terraform show my.plan show the same diff UI
• Extend the JSON plan file format to allow other tools to determine which values are sensitive, to allow building tools which display plans to hide sensitive values too

[jgrumboe]

Hi @alisdair

I'm not a contributor yet, but I wanted to look into this.
So I tried to reproduce it, but I can't.

I'm using this main.tf:

resource "random_pet" "bar" {
  prefix = "foo"
}

I tried terraform version 0.14.4 and 0.15.0-alpha20210107. Both give the same output where prefix isn't a sensitive value.
With both versions the output is as follows:

[jgrumboe]

On the other hand, I tried with a different resource tfe_agent_token, which has a sensitive value token.
And terraform 0.14.4 and 0.15.0-alpha20210107 behave correctly in not exposing the sensitive value.

Sorry, but for me, it works correctly.

[alisdair]

The issue is with sensitive values, not sensitive attributes. There are several uses of the term "sensitive" in Terraform which are related but not identical.

Here's a configuration which reproduces the issue:

variable "foo" {
  default = "foo"
  sensitive = true
}

resource "random_pet" "pet" {
  prefix = var.foo
}

• terraform init
• terraform plan -out foo.plan: this renders prefix = (sensitive value)
• terraform show foo.plan: this incorrectly renders prefix = "foo"

Note that while it may be interesting to look into, this particular enhancement isn't a great case for a first contribution. It will mean changing the plan file format and the JSON equivalent, which we have to be very careful about doing in order not to break backwards compatibility.

[jgrumboe]

@alisdair Thanks for the explanation and the example, now I see. And also confirm 😉
And thanks for the hint on the first contribution. Let's see if I file a PR. 😄

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.