-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: Add support for marking outputs as sensitive #6559
Conversation
This commit allows an output to be marked "sensitive", in which case the value is redacted in the post-refresh and post-apply list of outputs. For example, the configuration: ``` variable "input" { default = "Hello world" } output "notsensitive" { value = "${var.input}" } output "sensitive" { sensitive = true value = "${var.input}" } ``` Would result in the output: ``` terraform apply Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: notsensitive = Hello world sensitive = <sensitive> ``` The `terraform output` command continues to display the value as before. Limitations: Note that sensitivity is not tracked internally, so if the output is interpolated in another module into a resource, the value will be displayed. The value is still present in the state.
Needs docs - basically just convert what you wrote for the commit message over onto this page https://www.terraform.io/docs/configuration/outputs.html |
@@ -250,7 +251,7 @@ func (c *ApplyCommand) Run(args []string) int { | |||
} | |||
|
|||
if !c.Destroy { | |||
if outputs := outputsAsString(state); outputs != "" { | |||
if outputs := outputsAsString(state, ctx.Module().Config().Outputs); outputs != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module()
and Config()
are guaranteed to be non-nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if we have got to this stage.
Functionality and code looking good. Two Qs inline. |
state, and available using the `terraform output` command, so cannot be | ||
relied on as a sole means of protecting values. | ||
* sensitivity is not tracked internally, so if the output is interpolated in | ||
another module into a resource, the value will be displayed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - capitalize first words
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Other than the tiny casing nit you are free to ignore - this LGTM! |
* core: Add support for marking outputs as sensitive This commit allows an output to be marked "sensitive", in which case the value is redacted in the post-refresh and post-apply list of outputs. For example, the configuration: ``` variable "input" { default = "Hello world" } output "notsensitive" { value = "${var.input}" } output "sensitive" { sensitive = true value = "${var.input}" } ``` Would result in the output: ``` terraform apply Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: notsensitive = Hello world sensitive = <sensitive> ``` The `terraform output` command continues to display the value as before. Limitations: Note that sensitivity is not tracked internally, so if the output is interpolated in another module into a resource, the value will be displayed. The value is still present in the state.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
This pull request allows an output to be marked "sensitive", in which case the value is redacted in the post-refresh and post-apply list of outputs.
The configuration:
Would result in the output:
The
terraform output
command continues to display the value as before.Note that sensitivity is not tracked internally, so if the output is interpolated in another module into a resource, the value will be displayed. The value is still present in the state.