terraform
terraform copied to clipboard
hashicorp
[Feature Request] Add an option to store sensitive output variables as exportable variables
Terraform Version
v1.8.4
Use Cases
I'm working with a pipeline that utilizes a combination of Terraform and Ansible for managing Virtual Machines. The password is marked as Sensitive in the output variable, so I cannot retrieve its value directly. While this restriction makes sense, the requirement is to use this password as an input for Ansible. Currently, there isn't a straightforward way to achieve this. Therefore, I propose adding an EXPORT option to the output variable. This would allow the sensitive value to remain hidden from display but could still be exported as a variable. This approach would enable the pipeline to use the variable as input for Ansible without fetching the value from Azure Keyvault or AWS Secret Manager.
Attempted Solutions
NA
Proposal
Export default value should be false.
Scenario 1: db_password will output as db_password= (sensitive value) but it will export variable.
output "db_password" {
value = aws_db_instance.db.password
description = "The password for logging in to the database."
sensitive = true
export = true
}
Scenario 2: db_password will output as db_password= (sensitive value) but it will not be export variable.
output "db_password" {
value = aws_db_instance.db.password
description = "The password for logging in to the database."
sensitive = true
export = false
}
Scenario 3: nothing happen! output "db_password" { value = aws_db_instance.db.password description = "The password for logging in to the database."
sensitive = false
export = false
}
Scenario 4: db_password will output as currently running code there no changes for this scenario. output "db_password" { value = aws_db_instance.db.password description = "The password for logging in to the database."
sensitive = false
export = true
}
Scenario 5: db_password will output as currently running code there no changes for this scenario
output "db_password" {
value = aws_db_instance.db.password
description = "The password for logging in to the database."
export = true
}
Scenario 6: db_password will not export! (Optional Scenario)
output "db_password" {
value = aws_db_instance.db.password
description = "The password for logging in to the database."
export = false
}
References
https://developer.hashicorp.com/terraform/language/values/outputs
Hi @nrv-96, what do you mean by exportable in this context? It's worth noting that sensitive values are still available within the state even after they have been created. This means that you should still be able to access the value within a sensitive output after an apply has been completed:
# main.tf
output "password" {
value = "foo"
sensitive = true
}
~/terraform/35402 > terraform apply
Changes to Outputs:
+ password = (sensitive value)
You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
password = <sensitive>
The above will have written the output into the state, and we can now access it using the terraform show command:
~/terraform/35402 > terraform show -json | jq -r '.values.outputs.password.value'
foo
Does this address your use case?
