Problem
In HCP Terraform and Terraform Enterprise (v202103-3 and later), when you select the sensitive checkbox for a Terraform variable in the workspace UI, the variable is treated as sensitive during the run, regardless of its definition in the configuration. This action makes the variable write-only in the UI and redacts its value from Terraform's output and logs.
Cause
Terraform 0.14.0 introduced the ability to mark input variables as sensitive in the configuration, which redacts their values from CLI output. HCP Terraform and Terraform Enterprise extend this functionality through the UI.
During a run, HCP Terraform and Terraform Enterprise generate an override file that contains all variables defined on the workspace's Variables page. If the sensitive checkbox is selected for a variable in the UI, the override file explicitly sets sensitive = true for that variable, overriding the setting in your configuration file.
For example, your configuration may contain a variable block without a sensitivity setting.
variable "foo" {}If you check the sensitive box for this variable in the workspace UI, the effective configuration during the run is modified as follows.
variable "foo" {
sensitive = true
}As a result, the value of var.foo is treated as sensitive and is redacted from all run outputs.
Solution
For clarity and maintainability, you should explicitly add sensitive = true to all variable definitions in your Terraform configuration that are considered sensitive. This practice ensures that your configuration files serve as the single source of truth for variable sensitivity, aligning the behavior in the UI with the code's intent.