terraform,

Show sensitive output values in Terraform

May 16, 2022 · 1 min read · Post a comment

Starting from Terraform version 0.14 the output values marked as sensitive, are being obscured. I’ll take the following TF output code block as an example:

output "cloudflare_access_secret" {
  value     = azuread_application_password.cloudflare_access.value
  sensitive = true
}

Now, if I run terraform apply the result will be:

cloudflare_access_secret = <sensitive>

Let me show you three ways on how you could expose the output value.

Prerequisites

  • Terraform

Solution(s)

terraform output command

Run the following command:

terraform output cloudflare_access_secret

The nonsensitive function

The nonsensitive TF function displays the raw value by returning a copy of it without the sensitive flag. Modify the output block as the following:

output "cloudflare_access_secret" {
  value = nonsensitive(azuread_application_password.cloudflare_access.value)
}

Note(s): The function is available from TF version 0.15 and later.

terraform plan & show

Lastly, a two-command solution.

terraform plan -out=tfplan
terraform show -json tfplan

Conclusion

As usual, I strongly encourage against exposing any kind of sensitive outputs especially the ones being part of a CI/CD pipeline and production environments. Instead, use a secret management solution—HashiCorp Vault or any cloud-based managed service.
On another note, follow our official channel on Telegram.