terraform
config_error
ai_generated
partial
Error: Output refers to sensitive values: The root module output "db_password" is marked as sensitive, but Terraform cannot display it in the CLI output.
ID: terraform/sensitive-output-in-root-module
75%Fix Rate
85%Confidence
1Evidence
2023-08-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Terraform v1.5 | active | — | — | — |
| Terraform v1.6 | active | — | — | — |
| Terraform v1.7 | active | — | — | — |
Root Cause
An output value is marked as sensitive (via the 'sensitive = true' attribute), preventing Terraform from displaying its value in the CLI after apply, but the user expects to see it.
generic中文
输出值被标记为敏感(通过 'sensitive = true' 属性),导致 Terraform 在 apply 后无法在 CLI 中显示其值,但用户期望看到它。
Official Documentation
https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-outputsWorkarounds
-
70% success If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.
If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.
-
85% success For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.
For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.
中文步骤
If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.
For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.
Dead Ends
Common approaches that don't work:
-
50% fail
If the output depends on a sensitive input variable or resource attribute, Terraform may still treat it as sensitive. Also, exposing secrets in plain text is a security risk.
-
90% fail
Sensitive outputs are also redacted in JSON output; they appear as "(sensitive value)" even in machine-readable formats.
-
70% fail
This hides the value completely, which may break automation scripts that depend on the output.