Need to display sensitive data output variables in terraform

Question

The following code snippet is my terraform configuration to create an Azure SignalR Service:

output "signalrserviceconnstring" {
  value = azurerm_signalr_service.mysignalrservice.primary_connection_string
  description = "signalR service's primary connection string"
  sensitive = true
}

I got an error when sensitive = true is not included but I still do not see the output results on the console. What's the solution or workaround for this problem?

score 66 · Accepted Answer · answered May 22 '21 at 14:20

66

The entire point of sensitive = true is to prevent the values from being displayed on the console every time you run terraform apply. You have to output the sensitive value explicitly, like this:

terraform output signalrserviceconnstring

I highly suggest reading the documentation.

answered May 22 '21 at 14:20

Mark B

183,023
24
297
295

1

As far as I know this doesn't work for planned changes. Is there something similar to verify if changes to sensitive values are correct before they are applied? – Paul Apr 25 '22 at 14:42

score 43 · Answer 2 · answered Aug 31 '21 at 15:05

43

You could use function nonsensitive like this

    output "mysecret" {
      value = nonsensitive(var.mysecret)
    }

answered Aug 31 '21 at 15:05

OlegG

927
9
11

12

This is also useful for the interactive `$ terraform console` command. Without formally declaring an output, `> nonsensitive(var.mysecret)` will print the secret! – N1ngu Apr 22 '22 at 12:17
This is also useful when testing with `terraform plan` command to test if the output string is what you expect to be. After tests you just remove the output so nothing will be saved. – JB68 Jul 28 '22 at 16:53
This is the only thing I could make work. Even setting `sensitive = false` terraform refused to print it. Really hard to debug when you can't see anything, and it's even more maddening because I didn't mark it sensitive in the first place! Terraform just decided it was sensitive because (I assume) of some of the names inside the contents. – Freedom_Ben May 16 '23 at 21:15

score 1 · Answer 3 · answered Aug 24 '23 at 17:07

1

If you want to get a sensitive value from the state rather than from the output, use this:

$ terraform show -json | \
  jq '.values.root_module.resources[] | select(.address == "tls_private_key.ssh_key")' 
{
  "address": "tls_private_key.server_ssh_key",
  "type": "tls_private_key",
  "name": "server_ssh_key",
  ...
  "values": {
    "algorithm": "ED25519",
    "private_key_openssh": "-----BEGIN OPENSSH PRIVATE KEY-----\n...",
    ...
  }
}

answered Aug 24 '23 at 17:07

kolypto

31,774
17
105
99

I believe this is the best solution that fits in every use cases – Matias Bertani Aug 31 '23 at 15:20

Need to display sensitive data output variables in terraform

3 Answers3

Linked

Related