How-to output sensitive data with Terraform

Avatar
Patrick Munne
  • Updated

Error: Output refers to sensitive values - How to output sensitive data with Terraform

Problem

When attempting to output a value from a resource that contains sensitive data, Terraform prevents the value from being displayed in the console and produces the following error.

│ Error: Output refers to sensitive values
│ 
│   on main.tf line 23:
│   23: output "token_value" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that
│ was intended to be only internal,
│ Terraform requires that
│ any root module output containing sensitive data be explicitly
│ marked as sensitive, to confirm your intent.
│ 
│ If you do intend to export this data,
│ annotate the output value as sensitive by adding the following argument:
│   sensitive = true

Example Configuration

This error commonly occurs with configurations that generate secrets, such as a team token.

resource "tfe_team" "test" {
  name         = "test"
  organization = "my-organisation"
}

resource "tfe_team_token" "test" {
  team_id = tfe_team.test.id
}

output "token_value" {
  value = tfe_team_token.test.token
}

Cause

Terraform's default behavior is to protect sensitive data from accidental exposure. When an output value references a resource attribute marked as sensitive, Terraform requires you to explicitly acknowledge your intent to export this data.

Solutions

There are two primary methods to handle this error, depending on your goal.

Solution 1: Mark the Output as Sensitive

If you intend for the output to be treated as sensitive throughout your configuration and state, add the sensitive = true argument to the output block. This is the recommended approach for managing secret data.

output "token_value" {
  value     = tfe_team_token.test.token
  sensitive = true
}

After applying this change, Terraform will hide the value in the regular terraform apply or terraform output display. To retrieve the raw value, use the terraform output command with the -raw flag.

$ terraform output -raw token_value

Solution 2: Use the nonsensitive Function

If you need to use the sensitive value in a context where it should not be treated as sensitive, you can use the nonsensitive function. This function serves as an explicit acknowledgment that you are overriding the sensitive attribute for this specific output.

output "token_value" {
  value = nonsensitive(tfe_team_token.test.token)
}

This will cause the value to be displayed directly in the console after a terraform apply.

Additional Information

Articles in this section

See more

Related articles