-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: Add support for marking outputs as sensitive #6559
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ import ( | |
|
||
"github.com/hashicorp/go-getter" | ||
"github.com/hashicorp/go-multierror" | ||
"github.com/hashicorp/terraform/config" | ||
"github.com/hashicorp/terraform/terraform" | ||
) | ||
|
||
|
@@ -250,7 +251,7 @@ func (c *ApplyCommand) Run(args []string) int { | |
} | ||
|
||
if !c.Destroy { | ||
if outputs := outputsAsString(state); outputs != "" { | ||
if outputs := outputsAsString(state, ctx.Module().Config().Outputs); outputs != "" { | ||
c.Ui.Output(c.Colorize().Color(outputs)) | ||
} | ||
} | ||
|
@@ -376,14 +377,19 @@ Options: | |
return strings.TrimSpace(helpText) | ||
} | ||
|
||
func outputsAsString(state *terraform.State) string { | ||
func outputsAsString(state *terraform.State, schema []*config.Output) string { | ||
if state == nil { | ||
return "" | ||
} | ||
|
||
outputs := state.RootModule().Outputs | ||
outputBuf := new(bytes.Buffer) | ||
if len(outputs) > 0 { | ||
schemaMap := make(map[string]*config.Output) | ||
for _, s := range schema { | ||
schemaMap[s.Name] = s | ||
} | ||
|
||
outputBuf.WriteString("[reset][bold][green]\nOutputs:\n\n") | ||
|
||
// Output the outputs in alphabetical order | ||
|
@@ -400,11 +406,18 @@ func outputsAsString(state *terraform.State) string { | |
for _, k := range keys { | ||
v := outputs[k] | ||
|
||
outputBuf.WriteString(fmt.Sprintf( | ||
" %s%s = %s\n", | ||
k, | ||
strings.Repeat(" ", keyLen-len(k)), | ||
v)) | ||
if schemaMap[k].Sensitive { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could this panic if I have an output in the state but remove it from config? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It shouldn't at this stage - apply has already run so the state will be modified. |
||
outputBuf.WriteString(fmt.Sprintf( | ||
" %s%s = <sensitive>\n", | ||
k, | ||
strings.Repeat(" ", keyLen-len(k)))) | ||
} else { | ||
outputBuf.WriteString(fmt.Sprintf( | ||
" %s%s = %s\n", | ||
k, | ||
strings.Repeat(" ", keyLen-len(k)), | ||
v)) | ||
} | ||
} | ||
} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
variable "input" { | ||
default = "Hello world" | ||
} | ||
|
||
output "notsensitive" { | ||
value = "${var.input}" | ||
} | ||
|
||
output "sensitive" { | ||
sensitive = true | ||
value = "${var.input}" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -57,3 +57,27 @@ output NAME { | |
value = VALUE | ||
} | ||
``` | ||
|
||
## Sensitive Outputs | ||
|
||
Outputs can be marked as containing sensitive material by setting the | ||
`sensitive` attribute to `true`, like this: | ||
|
||
``` | ||
output "sensitive" { | ||
sensitive = true | ||
value = VALUE | ||
} | ||
``` | ||
|
||
When outputs are displayed on-screen following a `terraform apply` or | ||
`terraform refresh`, sensitive outputs are redacted, with `<sensitive>` | ||
displayed in place of their value. | ||
|
||
### Limitations of Sensitive Outputs | ||
|
||
* the values of sensitive outputs are still stored in the Terraform | ||
state, and available using the `terraform output` command, so cannot be | ||
relied on as a sole means of protecting values. | ||
* sensitivity is not tracked internally, so if the output is interpolated in | ||
another module into a resource, the value will be displayed. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit - capitalize first words There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module()
andConfig()
are guaranteed to be non-nil?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if we have got to this stage.