Jump to content

Terraform 0.14 Adds the Ability to Redact Sensitive Values in Console Output

Hashicorp

By Hashicorp
in Infrastructure-as-Code

 Share

Recommended Posts

Hashicorp Newbie

Hashicorp

Posted
Posted

We’re excited to announce that the upcoming Terraform 0.14 release includes the ability to thread the notion of a “sensitive value” throughout Terraform. In this first release along the lines of these new capabilities, we’ve focused on input variables & module outputs first, with an additional opt-in experiment for values which provider schemas mark as sensitive.

Starting with Terraform 0.14, input variable values can be defined as “sensitive”. Defining an input variable value as “sensitive” will result in Terraform redacting that value from CLI output. The same is true for module outputs. Module outputs with the sensitive=true attribute set will also see their values redacted throughout a Terraform plan.

Sensitive values are still recorded in the state, and so will be visible to anyone who is able to access the state data. For more information, see Sensitive Data in State.

You can define a variable as sensitive by setting the sensitive argument to true:

variable "user_information" {
  type = object({
    name    = string
    address = string
  })
  sensitive = true
}

resource "some_resource" "a" {
  name    = var.user_information.name
  address = var.user_information.address
}

Using this variable throughout your configuration will obfuscate the value from display in plan or apply output:

Terraform will perform the following actions:

  # some_resource.a will be created
  + resource "some_resource" "a" {
      + name    = (sensitive)
      + address = (sensitive)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources that can have multiple blocks of the same type, where the values must be unique. This looks like:

Terraform configuration:

# main.tf

resource "some_resource" "a" {
  nested_block {
    user_information  = var.user_information # a sensitive variable
    other_information = "not sensitive data"
  }
}

Terraform CLI output:

Terraform will perform the following actions:

  # some_resource.a will be updated in-place
  ~ resource "some_resource" "a" {
      ~ nested_block {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

Another important addition in Terraform 0.14 is that defining a module output as “sensitive” imparts the same behavior for those outputs as with variables defined as “sensitive”; those output values will be redacted even if they are consumed elsewhere in the Terraform plan. For more information on how a sensitive value can be manipulated via module outputs please see our updated documentation.

Enabling Provider-Schema-Based Sensitive Values

Terraform 0.14 also gives you the ability to expand upon values which the provider schema defines as “sensitive”. This existing feature prevents the value of that attribute from being displayed in logs or regular output. Terraform 0.14 extends this functionality by also propagating the sensitive mark through the plan.

In order to take advantage of the provider-specific sensitive attributes (those the providers define themselves), we’re asking our practitioners to opt-in to provider-schema sensitivity behavior. This new behavior may introduce redacted values in areas where such values aren’t expected by the end user, particularly where it comes to module outputs which may not have been explicitly set with a sensitive=true attribute. In order to give our community time to understand and experiment with this new behavior, it needs to be enabled for each module where the behavior is desired.

To experiment with provider-based sensitive values, enable the experimental feature by adding the following terraform block to any module being used to evaluate the behavior:

terraform {
  experiments = [provider_sensitive_attrs]
}

Getting Started with the Terraform 0.14 Beta

Here is where to find important getting started information about Terraform 0.14:

To get started using Terraform 0.14:

  • Download the latest Terraform 0.14 beta release.
  • If you are upgrading from a previous release, read the draft upgrade guide to learn about taking advantage of Terraform 0.14’s new features

As with all pre-release builds, remember that v0.14.0-beta1 may still contain bugs and it should not be used in a production setting. We welcome your feedback on the beta. If you run into an issue, please file a new bug report in GitHub. Please check the known issues list before filing to see if your issue has already been reported.

To evaluate Terraform 0.14 betas as part of your Terraform Cloud workflow, please write to support@hashicorp.com to have Terraform beta access added to your organization.

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...