Sensitive packer variables end up in terraform output when a run fails

[jwoudenberg]

Describe the bug I've a packer file with a couple of sensitive variables. I'm using this provider to run it in terraform cloud. When the packer specification contains an error the terraform cloud build fails, as expected. The error displayed in terraform cloud UI shows the packer command invoked, listing all the -var key=val arguments, including sensitive values.

To Reproduce

1. Create a packer specification containing a sensitive variable and an error preventing it from being built
2. Create a terraform specification building the packer specification using this provider, passing the variable from terraform
3. Apply the terraform specification. I tried using terraform cloud, but I believe you'll see the same using the terraform CLI.
4. The sensitive variable is visible in the error output

Expected behavior Packer variables marked as sensitive do are not visible in terraform output.

Screenshots Screenshot leading up to the section containing the sensitive -var key/value pairs:

Additional information (please complete the following information):

• OS: Terraform cloud
• Terraform version: 1.6.4
• Packer Provider version: Version 0.15.1 of this provider

Additional context Thank you for this project, it's been super straight-forward to use!

[simaotwx]

Thank you for reporting the issue. I understand that you would like to have sensitive variables hidden in the error output. I am in favor of implementing this. In GitHub Actions, this would already be done by GitHub but it looks like Terraform Cloud is not doing this.

My suggestion is to have sensitive variables replaced by *****. For this, the packer provider needs to know which variables are sensitive. In order to do that, I would consider adding another attribute sensitive_variables which would do the same as variables but this way the provider knows how to deal with them when outputting errors.

Also, thanks a lot for using the provider, I appreciate your feedback!

[simaotwx]

I've added support for a separate sensitive_variables. However, please make sure you also specify sensitive = true in your packer file. See https://developer.hashicorp.com/packer/guides/hcl/variables#defining-variables-and-locals