search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.34k stars 9.49k forks source link

Manual sensitivity override for resource attributes #29331

Open FWest98 opened 3 years ago

FWest98 commented 3 years ago

Current Terraform Version

Terraform v1.0.4
on linux_amd64

Use-cases

A provider output could sometimes be sensitive, but sometimes not. For example: configuration transpilers that convert human-readable formats to machine-readable formats such as the Container Linux transpiler (https://github.com/poseidon/terraform-provider-ct). Usually, the configuration is not sensitive, but sometimes, the configuration is sensitive.

Currently, I am able to mark the input as sensitive, to prevent the data from showing in the console output. However, the output is not marked sensitive by the provider developer (since usually this is non-sensitive indeed), and thus the output does show in my console.

I would like to be able to mark the output as sensitive as well, some kind of manual override of some sort.

Attempted Solutions

I don't know of a way to mark the provider output as sensitive without changing the provider code.

Proposal

I don't know the best way to achieve this. Some first thoughts:

References

Not that I know of

jbardin commented 3 years ago

Hi @FWest98,

An output value can be marked as sensitive in the configuration, and there is also the sensitive function, which can be used to mark a value as sensitive in any context.

Do either of these existing methods work for your use case?

FWest98 commented 3 years ago

I know about these, but in my case a provider resource provides an output that is not marked sensitive, that I want to mark sensitive by hand. At the moment, when this provider output changes, it will show the result in my console while I would want it to show (sensitive). I don't believe that is possible, right? The output from this provider resource is not used in other places in my configuration.

jbardin commented 3 years ago

Thanks @FWest98, I see what you mean now. No, you cannot change the sensitivity of a resource attribute, as that is part of its schema, which is outside the control of Terraform. This means that changes to the attribute's value will be displayed in the UI, even though those attributes are fed into other values marked as sensitive.

FWest98 commented 3 years ago

Exactly, I missed the "resource attribute" terminology but that is exactly my feature request. I think there are more use cases for this; such as the local_file data source which currently also is not marked sensitive (of course, in this case, file() is an alternative)