Securely Handling Sensitive Output in Terraform

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

Terraform provides a mechanism to protect sensitive information like passwords and API keys by allowing you to mark output variables as sensitive. While this hides the values from standard console and log output, there are situations during testing or debugging where you might need to access these values. This article will guide you on how to safely retrieve sensitive output values in Terraform using the command line and JSON parsing.

Terraform allows you to mark output variables as sensitive to protect confidential information. When you mark an output as sensitive, its value will be hidden from the console and log output. However, there are situations where you need to access these sensitive values, such as during testing or debugging.

To view the sensitive output values, you can use the terraform output command with the -json flag. This will output all output values, including sensitive ones, in JSON format. You can then parse this JSON output to extract the specific sensitive value you need.

Here's an example:

Let's say you have an output variable named db_password that is marked as sensitive:

output "db_password" {
  value     = random_password.password.result
  sensitive = true
}

To retrieve the value of db_password, you can run the following command:

terraform output -json

This will output all output values in JSON format. You can then use a tool like jq to extract the value of db_password:

terraform output -json | jq -r '.db_password.value'

This will print the value of the db_password output variable to the console.

Note: It's important to handle sensitive values with care and avoid exposing them in insecure environments.

This Terraform code defines a resource for generating a random password and two output variables: one sensitive (db_password) for the password and one non-sensitive (db_username). It explains how to retrieve the sensitive output value using 'terraform output' command with '-json' flag and then extracting the value using 'jq'. The description emphasizes handling sensitive information with caution and suggests exploring secure alternatives like HashiCorp Vault.

This example demonstrates how to define a sensitive output variable in Terraform and retrieve its value using the terraform output command and jq.

main.tf:

resource "random_password" "password" {
  length  = 16
  special = true
}

output "db_password" {
  value     = random_password.password.result
  sensitive = true
}

output "db_username" {
  value = "admin"
}

This code defines:

• random_password resource: Generates a random password with a length of 16 characters and includes special characters.
• db_password output: Defines an output variable named db_password that stores the generated password. The sensitive = true argument marks this output as sensitive, hiding its value in the console.
• db_username output: Defines a non-sensitive output variable for demonstration purposes.

Retrieving the sensitive output:

1. Run terraform apply: This will create the resource and display the output variables, hiding the value of db_password.

2. Retrieve all outputs in JSON format:

   terraform output -json

   This will output something like:

   {
     "db_password": {
       "sensitive": true,
       "value": "your_hidden_password"
     },
     "db_username": {
       "sensitive": false,
       "value": "admin"
     }
   }

3. Extract the value of db_password using jq:

   terraform output -json | jq -r '.db_password.value'

   This will print:

   your_hidden_password
   

Important considerations:

• Security: Be cautious when accessing and handling sensitive information. Avoid storing or exposing sensitive values in insecure environments.
• Alternatives: Consider using tools like HashiCorp Vault for managing and accessing secrets securely.

This example demonstrates how to retrieve sensitive output values in Terraform. Remember to handle this information responsibly and prioritize security best practices.

• Understanding Sensitivity: Marking an output as sensitive doesn't encrypt the value itself. It's primarily a display mechanism to prevent accidental exposure. Sensitive values are still stored in plain text within the state file, which should be treated with the same security precautions as any sensitive data.
• Alternatives to jq: While jq is a powerful tool for JSON parsing, you can also use other tools or scripting languages like Python to extract values from the JSON output.
• terraform console: For interactive usage, terraform console allows you to access output values, including sensitive ones, directly within a console session. However, exercise caution as the console history might retain sensitive data.
• Security Best Practices:
  • Principle of Least Privilege: Only grant access to sensitive output values to users or systems that absolutely require it.
  • Secure Storage: Consider using tools like HashiCorp Vault to store and manage sensitive values securely, rather than directly accessing them from Terraform outputs.
  • Environment Variables: For temporary access during development or testing, you can use environment variables to pass sensitive values to your scripts or applications.
• Sensitive Input Variables: Terraform also allows you to mark input variables as sensitive, preventing their values from being displayed in the console or logs. This is useful for protecting values provided during deployments.
• State File Protection: The Terraform state file contains the current state of your infrastructure and can include sensitive values. Ensure that your state file is stored securely, ideally using remote backends with encryption at rest.

While Terraform protects confidential information by hiding sensitive output variables from console and log output, you can still access these values for testing or debugging purposes.

How to access sensitive output values:

1. Use the terraform output -json command: This outputs all output values, including sensitive ones, in JSON format.
2. Parse the JSON output: Use a tool like jq to extract the specific sensitive value you need.

Example:

To retrieve the value of a sensitive output variable named db_password, you would run:

terraform output -json | jq -r '.db_password.value'

Important Note: Always handle sensitive values with care and avoid exposing them in insecure environments.

In conclusion, Terraform's ability to mark output variables as sensitive provides a valuable layer of protection for confidential information. While these values are hidden by default in console and log outputs, you can still access them when needed for tasks like testing or debugging. By using the terraform output -json command and a JSON parsing tool like jq, you can retrieve specific sensitive values. However, it's crucial to exercise caution and adhere to security best practices when handling such information. Remember to protect your state files, consider secure storage solutions like HashiCorp Vault for sensitive values, and always prioritize the principle of least privilege. By understanding these techniques and best practices, you can leverage Terraform's capabilities while maintaining the security of your infrastructure and sensitive data.

• How to show sensitive values - Terraform - HashiCorp Discuss | I can see how sensitive values need to be protected in CI/CD, but at my terminal I would like to see them. In some cases, there is a workaround, eg for outputs that are marked sensitive you can use json output. BUT this trick does not work for terraform apply: sensitive values are masked, and if the value is say a json blob (created from a template), the whole blob is masked. There is then no way for me to know what actually caused the change in that json/value. Is there a way to tell terraform...
• How-to output sensitive data with Terraform – HashiCorp Help Center | Introduction You can create resources that have sensitive data. When you output this data with default settings you get the following error │ Error: Output refers to sensitive values│ │ on main.tf ...
• How to get sensitive value generated during terraform apply ... | Posted by u/Lagerstars - 1 vote and 5 comments
• Protect sensitive input variables | Terraform | HashiCorp Developer | When you do so, you need to ensure that you do not accidentally expose this data in CLI output, log output, or source control. Terraform provides several ...
• QUESTION: Terraform plan output may contain sensitive data ... | Hi, We are evaluating adoption of Atlantis and one of our concerns regarding security is that while doing 'atlantis plan' secret data can be displayed on the plan output. Is there any recommendatio...
• Output Values - Configuration Language | Terraform | HashiCorp ... | ... data will have access to the sensitive values in cleartext. For more information, see Sensitive Data in State. depends_on — Explicit Output Dependencies.
• Decoding Sensitive Outputs in Terraform | by Shiva V | AWS Tip | It happened so while I was building an awesome multi-cloud hands-on lab using Terraform, that I ran into a peculiar error.
• Terraform - Sensitive Output - DEV Community | DevOps - Terraform - Sensitive Output
• output "client_secret_value" is not printing · Issue #845 · hashicorp ... | Hi, i'm creating client secret using terraform "Resource: azuread_application_password" but unable to get secrets value in terraform output output "client_secret_value" { description = "Password fo...