Because no variable meta data is passed to the provider, and there is no way to mark a variable as a secret, any time you taint the resource, the provider just dumps all variables on the plan.
So any secret and sensitive variables like passwords or keys, are just dumped on the logs. Really really bad.
I suggest a variable like secrets_vars which are just obfuscated from output.
Description
Because no variable meta data is passed to the provider, and there is no way to mark a variable as a secret, any time you taint the resource, the provider just dumps all variables on the plan.
So any secret and sensitive variables like passwords or keys, are just dumped on the logs. Really really bad.
I suggest a variable like
secrets_varswhich are just obfuscated from output.