# 错误：输出引用敏感值：根模块输出 "db_password" 被标记为敏感，但 Terraform 无法在 CLI 输出中显示它。

- **ID:** `terraform/sensitive-output-in-root-module`
- **领域:** terraform
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 75%

## 根因

输出值被标记为敏感（通过 'sensitive = true' 属性），导致 Terraform 在 apply 后无法在 CLI 中显示其值，但用户期望看到它。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Terraform v1.5 | active | — | — |
| Terraform v1.6 | active | — | — |
| Terraform v1.7 | active | — | — |

## 解决方案

1. ```
   If you need the value temporarily, use 'terraform output -no-color' and pipe to a file, but note sensitive outputs are still hidden. Instead, check the AWS Console or use 'aws secretsmanager get-secret-value' if the value is stored in Secrets Manager.
   ```
2. ```
   For automation, store the sensitive value in a secure backend (e.g., AWS Secrets Manager, Vault) and retrieve it programmatically. Example: add 'resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db.id, secret_string = random_password.db.result }' to persist the value securely.
   ```

## 无效尝试

- **** — If the output depends on a sensitive input variable or resource attribute, Terraform may still treat it as sensitive. Also, exposing secrets in plain text is a security risk. (50% 失败率)
- **** — Sensitive outputs are also redacted in JSON output; they appear as "(sensitive value)" even in machine-readable formats. (90% 失败率)
- **** — This hides the value completely, which may break automation scripts that depend on the output. (70% 失败率)