80

The following code snippet is my terraform configuration to create an Azure SignalR Service:

output "signalrserviceconnstring" {
  value = azurerm_signalr_service.mysignalrservice.primary_connection_string
  description = "signalR service's primary connection string"
  sensitive = true
}

I got an error when sensitive = true is not included but I still do not see the output results on the console. What's the solution or workaround for this problem?

Improve this question

3 Answers 3

Reset to default
129

The entire point of sensitive = true is to prevent the values from being displayed on the console every time you run terraform apply. You have to output the sensitive value explicitly, like this:

terraform output signalrserviceconnstring

I highly suggest reading the documentation.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

As far as I know this doesn't work for planned changes. Is there something similar to verify if changes to sensitive values are correct before they are applied?
Sensitive values are normally only generated during apply and added to the ouput, in a plan they should be available if they are some kind of input value ?
92

You could use function nonsensitive like this

    output "mysecret" {
      value = nonsensitive(var.mysecret)
    }
Improve this answer

4 Comments

This is also useful for the interactive $ terraform console command. Without formally declaring an output, > nonsensitive(var.mysecret) will print the secret!
This is also useful when testing with terraform plan command to test if the output string is what you expect to be. After tests you just remove the output so nothing will be saved.
This is the only thing I could make work. Even setting sensitive = false terraform refused to print it. Really hard to debug when you can't see anything, and it's even more maddening because I didn't mark it sensitive in the first place! Terraform just decided it was sensitive because (I assume) of some of the names inside the contents.
nonsensitive doesn't work in opentofu like that.
10

If you want to get a sensitive value from the state rather than from the output, use this:

Example 1 - Root Module:

$ terraform show -json | \
  jq '.values.root_module.resources[] | select(.address == "tls_private_key.ssh_key")' 
{
  "address": "tls_private_key.server_ssh_key",
  "type": "tls_private_key",
  "name": "server_ssh_key",
  ...
  "values": {
    "algorithm": "ED25519",
    "private_key_openssh": "-----BEGIN OPENSSH PRIVATE KEY-----\n...",
    ...
  }
}

Example 2 - Child Module:

$ terraform show -json | \
  jq -r '.values.root_module.child_modules[].resources[] | select(.address == "module.mychildmodule.random_password.admin") | .values.result'

admin1234

Example 3: Universal

This query shows only values, removing the "type" field:

$ terraform output -json | jq 'map_values(.value)'

{
...
}
Improve this answer

2 Comments

I believe this is the best solution that fits in every use cases
Well not in mine. I want to see the value of the secret file before I push it to make sure it looks ok. I can push it out and look at it afterwards but then I don't need to look at it I can just watch my service burn and deduce that the format is bad. :D

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.