Provide a sensitive attribute to Variables

[chamilad]

Current Terraform Version

Terraform v0.11.7

Use-cases

There are cases when external analysis of a Terraform variable declaration needs to understand whether the variable in question is something that can contain sensitive secret or not. With the current set of attributes, this is not something that can be deduced.

For an example, there can be a tool (or a future Terraform feature) that analyzes a given module and outputs the list of variables with their descriptions, types, default values, and their sensitive nature.

Attempted Solutions

I attempted to just add a sensitive = true attribute, however this fails at terraform validate level, because that's an unrecognized key.

Proposal

IMO this can be addressed with two approaches.

1. Let go of the unrecognized key validation for variables. This will allow developers to declare their own attributes to be used by tools other than Terraform.

2. Add a new attribute sensitive (with a meaning similar to that of the outputs) with possible values "true" or "false". (I understand that may also require a new type boolean which opens up justification for other feature requests such as if conditions)

References

#18691

[johanot]

Is this a dupe of: #16114 ?

[pselle]

Defining input variables as sensitive in order to redact the values from UI output is now available in 0.14! A recent blog post has more information on this feature, and I'll be closing this one as a result!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.