Open FWest98 opened 3 years ago
Hi @FWest98,
An output
value can be marked as sensitive
in the configuration, and there is also the sensitive
function, which can be used to mark a value as sensitive in any context.
Do either of these existing methods work for your use case?
I know about these, but in my case a provider resource provides an output that is not marked sensitive, that I want to mark sensitive by hand. At the moment, when this provider output changes, it will show the result in my console while I would want it to show (sensitive)
. I don't believe that is possible, right? The output from this provider resource is not used in other places in my configuration.
Thanks @FWest98, I see what you mean now. No, you cannot change the sensitivity of a resource attribute, as that is part of its schema, which is outside the control of Terraform. This means that changes to the attribute's value will be displayed in the UI, even though those attributes are fed into other values marked as sensitive.
Exactly, I missed the "resource attribute" terminology but that is exactly my feature request. I think there are more use cases for this; such as the local_file
data source which currently also is not marked sensitive (of course, in this case, file()
is an alternative)
Current Terraform Version
Use-cases
A provider output could sometimes be sensitive, but sometimes not. For example: configuration transpilers that convert human-readable formats to machine-readable formats such as the Container Linux transpiler (https://github.com/poseidon/terraform-provider-ct). Usually, the configuration is not sensitive, but sometimes, the configuration is sensitive.
Currently, I am able to mark the input as sensitive, to prevent the data from showing in the console output. However, the output is not marked sensitive by the provider developer (since usually this is non-sensitive indeed), and thus the output does show in my console.
I would like to be able to mark the output as sensitive as well, some kind of manual override of some sort.
Attempted Solutions
I don't know of a way to mark the provider output as sensitive without changing the provider code.
Proposal
I don't know the best way to achieve this. Some first thoughts:
isOutputSensitive
to manually change the sensitivity of the respective output.output { some_field { sensitive = true } }
, but that might be too complicatedReferences
Not that I know of