# Error: Output refers to sensitive values: The root module output "db_password" is marked as sensitive, but Terraform cannot display it in the CLI output. - **ID:** `terraform/sensitive-output-in-root-module` - **Domain:** terraform - **Category:** config_error - **Verification:** ai_generated - **Fix Rate:** 75% ## Root Cause An output value is marked as sensitive (via the 'sensitive = true' attribute), preventing Terraform from displaying its value in the CLI after apply, but the user expects to see it. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Terraform v1.5 | active | — | — | | Terraform v1.6 | active | — | — | | Terraform v1.7 | active | — | — | ## Workarounds 1. **If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.** (70% success) ``` If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager. ``` 2. **For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.** (85% success) ``` For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely. ``` ## Dead Ends - **** — If the output depends on a sensitive input variable or resource attribute, Terraform may still treat it as sensitive. Also, exposing secrets in plain text is a security risk. (50% fail) - **** — Sensitive outputs are also redacted in JSON output; they appear as "(sensitive value)" even in machine-readable formats. (90% fail) - **** — This hides the value completely, which may break automation scripts that depend on the output. (70% fail)