Before Terraform ver. 0.14 you could have undoubtedly leaked any secret as being a part of an output value. This usually happens in a CI/CD pipeline. These days Terraform will throw an error whenever you try to do the same.
Prerequisites
- Terraform
Solution
If I take the following Terraform code block as an example:
data "azuread_client_config" "current" {}
resource "azuread_application" "cloudflare_access" {
display_name = "DevCoops"
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMyOrg"
}
output "cloudflare_access_secret" {
value = azuread_application_password.cloudflare_access.value
}
It may be not obvious on first sight, but if I try to run terraform plan or terraform apply I’ll get:
|
│ Error: Output refers to sensitive values
│
│ on outputs.tf line 9:
│ 9: output "cloudflare_access_secret" {
│
│ To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output
│ containing sensitive data be explicitly marked as sensitive, to confirm your intent.
│
│ If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
│ sensitive = true
╵
The solution is crystal clear. Add sensitive = true below the output value. In my case:
output "cloudflare_access_secret" {
value = azuread_application_password.cloudflare_access.value
sensitive = true
}
If you really want to show the output value, check out Show sensitive output values in Terraform.
Conclusion
Nothing much to add though. On a side note, follow our official channel on Telegram.