错误:输出引用敏感值:根模块输出 "db_password" 被标记为敏感,但 Terraform 无法在 CLI 输出中显示它。
Error: Output refers to sensitive values: The root module output "db_password" is marked as sensitive, but Terraform cannot display it in the CLI output.
ID: terraform/sensitive-output-in-root-module
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Terraform v1.5 | active | — | — | — |
| Terraform v1.6 | active | — | — | — |
| Terraform v1.7 | active | — | — | — |
根因分析
输出值被标记为敏感(通过 'sensitive = true' 属性),导致 Terraform 在 apply 后无法在 CLI 中显示其值,但用户期望看到它。
English
An output value is marked as sensitive (via the 'sensitive = true' attribute), preventing Terraform from displaying its value in the CLI after apply, but the user expects to see it.
官方文档
https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-outputs解决方案
-
If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.
-
For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.
无效尝试
常见但无效的做法:
-
50% 失败
If the output depends on a sensitive input variable or resource attribute, Terraform may still treat it as sensitive. Also, exposing secrets in plain text is a security risk.
-
90% 失败
Sensitive outputs are also redacted in JSON output; they appear as "(sensitive value)" even in machine-readable formats.
-
70% 失败
This hides the value completely, which may break automation scripts that depend on the output.