b62f6af158
* core: Add support for marking outputs as sensitive
This commit allows an output to be marked "sensitive", in which case the
value is redacted in the post-refresh and post-apply list of outputs.
For example, the configuration:
```
variable "input" {
default = "Hello world"
}
output "notsensitive" {
value = "${var.input}"
}
output "sensitive" {
sensitive = true
value = "${var.input}"
}
```
Would result in the output:
```
terraform apply
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
notsensitive = Hello world
sensitive = <sensitive>
```
The `terraform output` command continues to display the value as before.
Limitations: Note that sensitivity is not tracked internally, so if the
output is interpolated in another module into a resource, the value will
be displayed. The value is still present in the state.
2.4 KiB
layout, page_title, sidebar_current, description
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| docs | Configuring Outputs | docs-config-outputs | Outputs define values that will be highlighted to the user when Terraform applies, and can be queried easily using the output command. Output usage is covered in more detail in the getting started guide. This page covers configuration syntax for outputs. |
Output Configuration
Outputs define values that will be highlighted to the user when Terraform applies, and can be queried easily using the output command. Output usage is covered in more detail in the getting started guide. This page covers configuration syntax for outputs.
Terraform knows a lot about the infrastructure it manages. Most resources have a handful or even a dozen or more attributes associated with it. Outputs are a way to easily extract information.
This page assumes you're familiar with the configuration syntax already.
Example
An output configuration looks like the following:
output "address" {
value = "${aws_instance.web.public_dns}"
}
Description
The output block configures a single output variable. Multiple
output variables can be configured with multiple output blocks.
The NAME given to the output block is the name used to reference
the output variable.
Within the block (the { }) is configuration for the output.
These are the parameters that can be set:
value(required, string) - The value of the output. This must be a string. This usually includes an interpolation since outputs that are static aren't usually useful.
Syntax
The full syntax is:
output NAME {
value = VALUE
}
Sensitive Outputs
Outputs can be marked as containing sensitive material by setting the
sensitive attribute to true, like this:
output "sensitive" {
sensitive = true
value = VALUE
}
When outputs are displayed on-screen following a terraform apply or
terraform refresh, sensitive outputs are redacted, with <sensitive>
displayed in place of their value.
Limitations of Sensitive Outputs
- The values of sensitive outputs are still stored in the Terraform
state, and available using the
terraform outputcommand, so cannot be relied on as a sole means of protecting values. - Sensitivity is not tracked internally, so if the output is interpolated in another module into a resource, the value will be displayed.