Temp output for secrets

[ejoubaud]

Would be great to have the option to not store an output in the .tfstate and disable the terraform output command to retrieve them (or any other way past the first run).

I'm thinking about access keys generated with the aws_iam_access_key resource for instance. Say you manage your IAM users with Terraform and generate access keys for them. You only want the key to show up once in the terraform apply output (so you can send it encrypted to the account owner for instance) but you don't want it to be retrievable later from your terraform config or .tfstate, for security. The way it is in the AWS web console basically: show it to me once, but then don't let anyone see it again, including me.

It could be a simple store=false param on the output directive:

output "access_key_secrets" {
  value = "${join("\n", aws_iam_access_key.users.*.secret)}"
  store = false
}

See also related #4436

[jen20]

Hi @ejoubaud! This is an interesting approach - but probably not one which will achieve anything (in this case) as the outputs are calculated from other things which are stored in the .tfstate. As I mentioned on #4436 we are currently planning a refactor of the way state is stored, paying particular attention to sensitive values - if you follow #516 we will update with progress there. Thanks for opening the issue!

[ejoubaud]

Thanks. #516 doesn't seem to address the matter of output also being written in plain text to the .tfstate though.

I created this besides #4436 because I thought the output could warrant its own issue but I agree it should probably be thought of along with #516, so I added a note there.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.