Add a flag to `terraform show` to hide all values (not just sensitive)

[ricardbejarano]

Terraform Version

Terraform v1.11.4
on darwin_arm64

Use Cases

In certain highly confidential environments, a lot of information that would typically not be considered sensitive, is classified as sensitive because only those with need-to-know (NTK) should have access to it.

This divides our team into those with NTK, and those without it, but do not want that divide to "Conway's Law" itself into our infrastructure.

In order to do that, we want to empower no-NTK developers to perform (at least) basic Terraform plan review, so that they are capable of making changes with a non-zero degree of confidence.

Terraform plans, however, are very likely to show data we consider sensitive in this environment (that may not be considered sensitive anywhere else). Mainly resource attribute values (keys are ok, they are in the schema which is public domain) and resource addresses (since for_each may range over sensitive keys).

Attempted Solutions

terraform show -json, then writing a custom script with jq that redacts all attribute values and resource addresses, and converting that JSON plan back to binary for Terraform to render. This, however, is not possible and implementation would be way more difficult than the proposed solution.

Proposal

Add a flag to terraform show, such as -redacted, that redacts all attribute values and resource addresses to be shown in rendering the plan.

This way, we can:

• terraform plan -out terraform.tfplan and save the output for NTK developers; then
• terraform show -redacted terraform.tfplan and show the output to no-NTK developers.

I am very aware that only a very slim subset of Terraform users would ever care about this feature, but I also think that an optional boolean flag with some string redaction is a relatively simple feature to maintain, so that we can empower our no-NTK users with a bit more metadata about what's being planned.

References

See #36900 for an example implementation of what I mean.

[ricardbejarano]

Example output of the terraform show -redacted flag:

$ ~/terraform/bin/terraform show -redacted terraform.tfplan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # (sensitive value) will be created
  + resource "gitlab_group_variable" "(sensitive value)" {
      + description       = (sensitive value)
      + environment_scope = (sensitive value)
      + group             = (sensitive value)
      + hidden            = (known after apply)
      + id                = (known after apply)
      + key               = (sensitive value)
      + masked            = (known after apply)
      + protected         = (known after apply)
      + raw               = (sensitive value)
      + value             = (sensitive value)
      + variable_type     = (sensitive value)
    }

  # (sensitive value) will be updated in-place
  ~ resource "tailscale_dns_preferences" "(sensitive value)" {
        id        = (sensitive value)
      ~ magic_dns = (sensitive value)
    }

  # (sensitive value) will be destroyed
  # (because tailscale_tailnet_settings.(sensitive value) is not in configuration)
  - resource "tailscale_tailnet_settings" "(sensitive value)" {
      - devices_approval_on                         = (sensitive value) -> null
      - devices_auto_updates_on                     = (sensitive value) -> null
      - devices_key_duration_days                   = (sensitive value) -> null
      - id                                          = (sensitive value) -> null
      - network_flow_logging_on                     = (sensitive value) -> null
      - posture_identity_collection_on              = (sensitive value) -> null
      - regional_routing_on                         = (sensitive value) -> null
      - users_approval_on                           = (sensitive value) -> null
      - users_role_allowed_to_join_external_tailnet = (sensitive value) -> null
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Changes to Outputs:
  ~ admin                              = (sensitive value)

As you can see, all before and after attribute values are redacted, along with resource addresses which may contain for_each keys which could also be sensitive.

[ricardbejarano]

I'd like to hear feedback on whether Terraform wants this feature, otherwise I can spin this off into a standalone tool instead. If aligned, I'm happy to change anything about the approach, my PR is just a proof of concept.

[crw]

Thanks, I will raise this in triage.

If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!