I'm writing a custom Terraform provider, and I have a resource that has an argument that is a map[string]string
which may contain sensitive values. I want to make the values sensitive but not the keys. I tried setting the Sensitive
attribute of the Elem
in the map to true (see example below) but I still get the values printed out the console during the plan phase.
return &schema.Resource{
// ...
Schema: map[string]*schema.Schema{
"sensitive_map": {
Type: schema.TypeMap,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
// Sensitive: true,
},
},
},
}
Example plan phase output:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# deploy_project.this will be created
+ resource "my_resource" "this" {
+ sensitive_map = {
+ "key" = "value"
}
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
How can I get the value to be marked as sensitive but not the key?
Sensitive
is not a behavior field for the Terraform resource schema. Assuming sdk2 and TF >= 0.13 etc., this would probably be achieved (if possible) in the manner coded in your question. As it is, this behavior is (I believe) opt-in and not opt-out, and therefore is configured in the TF config and not the provider. I could be wrong though. – Matt SchuchardSensitive
flag on the Map itself rather than the Elem and it does mark it as sensitive in the plan output, except it marks the entire Map as sensitive, including the keys – William Perron