{
  "id": "terraform/sensitive-output-in-root-module",
  "signature": "Error: Output refers to sensitive values: The root module output \"db_password\" is marked as sensitive, but Terraform cannot display it in the CLI output.",
  "signature_zh": "错误：输出引用敏感值：根模块输出 \"db_password\" 被标记为敏感，但 Terraform 无法在 CLI 输出中显示它。",
  "regex": "Error: Output refers to sensitive values: The root module output \".*\" is marked as sensitive, but Terraform cannot display it in the CLI output\\.|Warning: Output refers to sensitive values",
  "domain": "terraform",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "An output value is marked as sensitive (via the 'sensitive = true' attribute), preventing Terraform from displaying its value in the CLI after apply, but the user expects to see it.",
  "root_cause_type": "generic",
  "root_cause_zh": "输出值被标记为敏感（通过 'sensitive = true' 属性），导致 Terraform 在 apply 后无法在 CLI 中显示其值，但用户期望看到它。",
  "versions": [
    {
      "version": "Terraform v1.5",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Terraform v1.6",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Terraform v1.7",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "If the output depends on a sensitive input variable or resource attribute, Terraform may still treat it as sensitive. Also, exposing secrets in plain text is a security risk.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Sensitive outputs are also redacted in JSON output; they appear as \"(sensitive value)\" even in machine-readable formats.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "This hides the value completely, which may break automation scripts that depend on the output.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.",
      "success_rate": 0.7,
      "how": "If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.",
      "condition": "",
      "sources": []
    },
    {
      "action": "For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource \"aws_secretsmanager_secret_version\" \"db_password\" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.",
      "success_rate": 0.85,
      "how": "For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource \"aws_secretsmanager_secret_version\" \"db_password\" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.",
    "For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource \"aws_secretsmanager_secret_version\" \"db_password\" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-outputs",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.75,
  "resolvable": "partial",
  "first_seen": "2023-08-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}