terraform,

Show sensitive output values in Terraform

May 16, 2022 · 1 min read · Post a comment
Show sensitive output values in Terraform

Starting from Terraform version 0.14 the output values marked as sensitive, are being obscured. I’ll take the following TF output code block as an example:

output "cloudflare_access_secret" {
  value     = azuread_application_password.cloudflare_access.value
  sensitive = true
}

Now, if I run terraform apply the result will be:

cloudflare_access_secret = <sensitive>

Let me show you three ways on how you could expose the output value.

Prerequisites

  • Terraform

Solution(s)

terraform output command

Run the following command:

terraform output cloudflare_access_secret

The nonsensitive function

The nonsensitive TF function displays the raw value by returning a copy of it without the sensitive flag. Modify the output block as the following:

output "cloudflare_access_secret" {
  value = nonsensitive(azuread_application_password.cloudflare_access.value)
}

Note(s): The function is available from TF version 0.15 and later.

terraform plan & show

Lastly, a two-command solution.

terraform plan -out=tfplan
terraform show -json tfplan

Conclusion

As usual, I strongly encourage against exposing any kind of sensitive outputs especially the ones being part of a CI/CD pipeline and production environments. Instead, use a secret management solution—HashiCorp Vault or any cloud-based managed service.
On another note, follow our official channel on Telegram.