Terraform
2024-10-29
5 min read
DevOps Daily Team

How to Display Sensitive Data Output Variables in Terraform

How to Display Sensitive Data Output Variables in Terraform

TLDR

Terraform allows you to mark output variables as sensitive to prevent them from being displayed in the CLI. However, you can override this behavior if you need to display sensitive data for debugging or other purposes. Use caution when handling sensitive outputs.

Terraform's sensitive attribute for output variables is a useful feature for hiding sensitive data, such as passwords or API keys, from being displayed in the CLI. However, there are scenarios where you might need to display this data, such as debugging or testing. This guide will show you how to handle sensitive output variables safely.

Why Mark Outputs as Sensitive?

  • Security: Prevents sensitive data from being exposed in logs or shared environments.
  • Compliance: Helps meet security and compliance requirements by limiting data exposure.

Defining Sensitive Output Variables

You can mark an output variable as sensitive by setting the sensitive attribute to true.

output "db_password" {
  value     = aws_secretsmanager_secret.example.secret_string
  sensitive = true
}

When you run terraform apply, the sensitive output will not be displayed in the CLI.

Displaying Sensitive Outputs

If you need to display sensitive outputs, you can use the terraform output command with the -json flag and process the output programmatically.

Example: Displaying Sensitive Outputs 

terraform output -json | jq '.db_password.value'

This command extracts the sensitive value using jq, a lightweight JSON processor.

Overriding Sensitivity

You can temporarily override the sensitivity of an output variable by removing the sensitive attribute. However, this should only be done in non-production environments.

Example: Removing Sensitivity 

output "db_password" {
  value = aws_secretsmanager_secret.example.secret_string
}

Best Practices

  • Limit Exposure: Only display sensitive outputs when absolutely necessary.
  • Use Secure Tools: Use tools like jq to process sensitive outputs securely.
  • Audit Logs: Monitor logs to ensure sensitive data is not exposed.
  • Environment-Specific Configurations: Use different configurations for production and non-production environments.

By understanding how to handle sensitive output variables in Terraform, you can balance the need for visibility with the importance of security.

Published: 2024-10-29|Last updated: 2024-10-29T09:00:00Z

Tags

TerraformSecurityOutput VariablesDevOps

Found an issue?

Related Posts

How to Use the AWS account_id Variable in Terraform

2025-06-20|5 min read

Terraform Conditionals: Handling Non-Existent Variables

2025-06-01|5 min read

Best practices when using Terraform?

2025-03-21|6 min read