Introduction
Beginning with Terraform Enterprise release v202103-3, and also in Terraform Cloud, checking the "sensitive" checkbox for a Terraform variable on the Variables page not only makes the variable write-only in the web UI, but also marks the variable sensitive during the Terraform run itself.
Terraform 0.14.0 introduced the ability to mark input variables as
sensitive, redacting their values from Terraform's output and logs. With the mentioned update, when the sensitive checkbox is checked in the TFC/TFE workspace's variables page, the variable will have sensitive = true applied to it regardless as to whether this value is present in the configuration or not.
During runs in TFC/TFE an override file is generated which contains information about all of the variables defined on the workspace's variables page. It may be the case that the configuration contains a variable block that looks like the following:
variable "foo" {}
However, if the "sensitive" checkbox is checked for this variable, the following will override the sensitivity present in the configuration like this:
variable "foo" {
sensitive = true
}
The end result: the value of var.foo is sensitive and redacted from output.
Recommendation
For clarity and maintainability, it is recommend to add
sensitive = true to all variable definitions in the Terraform configuration that would be considered sensitive when added to TFE/TFC.