Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core: Add support for marking outputs as sensitive #6559

Merged
merged 3 commits into from
May 9, 2016
Merged

Conversation

jen20
Copy link
Contributor

@jen20 jen20 commented May 9, 2016

This pull request allows an output to be marked "sensitive", in which case the value is redacted in the post-refresh and post-apply list of outputs.

The configuration:

variable "input" {
    default = "Hello world"
}

output "notsensitive" {
    value = "${var.input}"
}

output "sensitive" {
    sensitive = true
    value = "${var.input}"
}

Would result in the output:

terraform apply

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

  notsensitive = Hello world
  sensitive    = <sensitive>

The terraform output command continues to display the value as before.

Note that sensitivity is not tracked internally, so if the output is interpolated in another module into a resource, the value will be displayed. The value is still present in the state.

This commit allows an output to be marked "sensitive", in which case the
value is redacted in the post-refresh and post-apply list of outputs.

For example, the configuration:

```
variable "input" {
    default = "Hello world"
}

output "notsensitive" {
    value = "${var.input}"
}

output "sensitive" {
    sensitive = true
    value = "${var.input}"
}
```

Would result in the output:

```
terraform apply

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

  notsensitive = Hello world
  sensitive    = <sensitive>
```

The `terraform output` command continues to display the value as before.

Limitations: Note that sensitivity is not tracked internally, so if the
output is interpolated in another module into a resource, the value will
be displayed. The value is still present in the state.
@phinze
Copy link
Contributor

phinze commented May 9, 2016

Needs docs - basically just convert what you wrote for the commit message over onto this page https://www.terraform.io/docs/configuration/outputs.html

@@ -250,7 +251,7 @@ func (c *ApplyCommand) Run(args []string) int {
}

if !c.Destroy {
if outputs := outputsAsString(state); outputs != "" {
if outputs := outputsAsString(state, ctx.Module().Config().Outputs); outputs != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Module() and Config() are guaranteed to be non-nil?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if we have got to this stage.

@phinze
Copy link
Contributor

phinze commented May 9, 2016

Functionality and code looking good. Two Qs inline.

state, and available using the `terraform output` command, so cannot be
relied on as a sole means of protecting values.
* sensitivity is not tracked internally, so if the output is interpolated in
another module into a resource, the value will be displayed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit - capitalize first words

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@phinze
Copy link
Contributor

phinze commented May 9, 2016

Other than the tiny casing nit you are free to ignore - this LGTM!

@jen20 jen20 merged commit b62f6af into master May 9, 2016
@jen20 jen20 deleted the f-sensitive-outputs branch May 9, 2016 19:46
cristicalin pushed a commit to cristicalin/terraform that referenced this pull request May 24, 2016
* core: Add support for marking outputs as sensitive

This commit allows an output to be marked "sensitive", in which case the
value is redacted in the post-refresh and post-apply list of outputs.

For example, the configuration:

```
variable "input" {
    default = "Hello world"
}

output "notsensitive" {
    value = "${var.input}"
}

output "sensitive" {
    sensitive = true
    value = "${var.input}"
}
```

Would result in the output:

```
terraform apply

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

  notsensitive = Hello world
  sensitive    = <sensitive>
```

The `terraform output` command continues to display the value as before.

Limitations: Note that sensitivity is not tracked internally, so if the
output is interpolated in another module into a resource, the value will
be displayed. The value is still present in the state.
@ghost
Copy link

ghost commented Apr 26, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants