add the ability for terraform state show to display sensitive values.

[james-lawrence]

Terraform Version

terraform version
Terraform v1.3.6
on linux_amd64

Use Cases

right now extracting a sensitive value is unnecessarily complicated.

1. the sensitive values are easily viewable in the state file. a simple terraform state pull will let anyone see them.
2. terraform state show doesn't provide an option to view them (note terraform show does)

instead of having a nice experience with terraform I'm forced to pull the state file and investigate it manually.

it should be as simple as terraform state show -json my.resource to see the values instead one has to go through a multi-step process to find the value.

Attempted Solutions

vim/jq/etc anything that can view / process the json state file.

Proposal

given that the data is already available; making it stupidly annoying to extract the values is just security through obscurity bullshit and doesn't actually provide any reasonable value to the tool beyond preventing accidental exposure in logs etc.

References

No response

[crw]

Thanks for this request!

[itspooya]

@crw
Hi,
I suggest the addition of a --ignore-sensitive flag to the Terraform command line interface. This flag would allow users to display sensitive data in output and if --ignore-sensitive outputname is used, it would ignore sensitive information for the specified output. This feature would improve usability and make it easier for users to access sensitive information when necessary.
If you think this is a good solution I can work on it

[PaulRudin]

It's not just terraform state - it's very annoying to have to jump through all sorts of hoops in order to figure out what will change when doing terraform plan.

[itspooya]

if it is acceptable on your side I would like to work on it