Introduction
In Terraform Enterprise and HCP Terraform, environment variables marked as sensitive are intentionally masked in the UI and run logs to prevent exposure of secrets. During troubleshooting or validation, administrators may need a controlled way to confirm that a sensitive environment variable is correctly set in a workspace.
This article demonstrates a simple method to verify the value of a sensitive environment variable during a Terraform run by using a null_resource with a local-exec provisioner.
Expected Outcome
After following this guide, you will be able to:
Trigger a Terraform run that prints the value of a sensitive environment variable configured in a workspace. Confirm whether the variable is correctly injected into the Terraform runtime environment.
Prerequisites (if applicable)
Access to a workspace in Terraform Enterprise or HCP Terraform
Permission to modify Terraform configuration in the workspace
A sensitive environment variable already configured in the workspace settings
A Terraform run environment that allows execution of local-exec provisioners
Use Case
Sensitive environment variables in Terraform workspaces are commonly used for:
API tokens
Cloud provider credentials
External service secrets
Because these variables are masked in the UI, it may be difficult to confirm whether the value is being correctly passed to Terraform during execution. This method allows administrators to verify the runtime availability of the variable during debugging.
Procedure
Step 1
Ensure the sensitive environment variable is defined in the workspace.
Example:
Workspace → Variables → Environment Variables
Key: env_secret_variable_name Value: <secret-value> Sensitive: Enabled
Step 2
Add the following Terraform configuration to your code:
resource "null_resource" "sensitive_env" {
provisioner "local-exec" {
command = <<EOT
echo "env_secret : $env_secret_variable_name"
EOT
}
}This configuration executes a local command during the Terraform run and prints the value of the environment variable.
Step 3
If VCS drive workspace than commit and push the configuration to trigger a new Terraform run in the workspace
If it is CLI driven workspace, perform the run from the directory
During the run:
Terraform will execute the null_resource. The local-exec provisioner will print the environment variable value to the run logs.
Step 4
Open the run logs in the workspace and locate the output produced by the null_resource.
Example output:
env_secret : my-secret-value
This confirms that the sensitive environment variable is correctly available to the Terraform runtime.
Additional Information
This method should be used only for debugging purposes, as it exposes sensitive values in run logs. After verification, remove the configuration to avoid unintended exposure of secrets.
Documentation:
Terraform Enterprise variables