mirror of
https://github.com/opentofu/opentofu.git
synced 2024-12-30 10:47:14 -06:00
Add sensitive variable docs for nested blocks
Add note to docs about nested block behavior for sensitive variables
This commit is contained in:
parent
367c82c5ae
commit
4d01fc88fc
@ -250,6 +250,32 @@ Terraform will perform the following actions:
|
||||
Plan: 1 to add, 0 to change, 0 to destroy.
|
||||
```
|
||||
|
||||
In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:
|
||||
|
||||
```
|
||||
# main.tf
|
||||
|
||||
resource "some_resource" "a" {
|
||||
nested_block {
|
||||
user_information = var.user_information # a sensitive variable
|
||||
other_information = "not sensitive data"
|
||||
}
|
||||
}
|
||||
|
||||
# CLI output
|
||||
|
||||
Terraform will perform the following actions:
|
||||
|
||||
# some_resource.a will be updated in-place
|
||||
~ resource "some_resource" "a" {
|
||||
~ nested_block {
|
||||
# At least one attribute in this block is (or was) sensitive,
|
||||
# so its contents will not be displayed.
|
||||
}
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
#### Cases where Terraform may disclose a sensitive variable
|
||||
|
||||
A `sensitive` variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if "foo" is a sensitive value: `"Invalid value 'foo' for field"`
|
||||
|
Loading…
Reference in New Issue
Block a user