Problem
HCP Terraform plan by default does not show the value of sensitive attributes such as passwords, key vault secret id, API tokens etc. This ensures that such data is not exposed in command-line interface (CLI) outputs, logs, or during plan, apply, and destroy operations.
However, sometimes, we may want to see the value of sensitive attributes in the plan output before going ahead with the apply run.
Solution
Terraform has a function called nonsensitive which could be used to display sensitive values in plan runs. In order to demonstrate this, I created the resource azurerm_key_vault_secret which has a sensitive attribute called value. Under normal plan, the plan output of the attribute value, within plan run looks as sensitive and when referred to an output block, it also shows sensitive:
With the use of nonsensitive function, we can refer to the value of the attribute value its in terraform output and get its value in the plan output:
Please refer to configuration below:
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "secret-value-1"
key_vault_id = azurerm_key_vault.example.id
}
output "test" {
value = nonsensitive(azurerm_key_vault_secret.example.value)
}
Changing the value of value from secret-value-1 to secret-value-2. The nonsensitive function shows the change:
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "secret-value-2"
key_vault_id = azurerm_key_vault.example.id
}
output "test" {
value = nonsensitive(azurerm_key_vault_secret.example.value)
}Please refer below screenshot:
This approach could be used in cases where it's absolutely important to know that values oof sensitive attributes before proceeding with terraform apply.
Note: If you continue to experience issues, please contact HashiCorp Support.