terraform,

'Output refers to sensitive values' error in Terraform

May 18, 2022 · 1 min read · Post a comment
'Output refers to sensitive values' error in Terraform

Before Terraform ver. 0.14 you could have undoubtedly leak any secret as being a part of an output value. This usually happens in a CI/CD pipeline. These days Terraform will throw an error whenever you try to do the same.

Prerequisites

  • Terraform

Solution

If I take the following Terraform code block as an example:

data "azuread_client_config" "current" {}

resource "azuread_application" "cloudflare_access" {
  display_name     = "DevCoops"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMyOrg"
}

output "cloudflare_access_secret" {
  value = azuread_application_password.cloudflare_access.value
}

It may be not obvious on first sight, but if I try to run terraform plan or terraform apply I’ll get:

|
│ Error: Output refers to sensitive values
│ 
│   on outputs.tf line 9:
│   9: output "cloudflare_access_secret" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output
│ containing sensitive data be explicitly marked as sensitive, to confirm your intent.
│ 
│ If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
│     sensitive = true

The solution is crystal clear. Add sensitive = true below the output value. In my case:

output "cloudflare_access_secret" {
  value     = azuread_application_password.cloudflare_access.value
  sensitive = true
}

If you really wanna show the output value, check out Show sensitive output values in Terraform.

Conclusion

Nothing much to add though. On a side note, follow our official channel on Telegram.