Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News HashiCorp Terraform Adds Concise Diff Formatter and Sensitive Data Obfuscation

HashiCorp Terraform Adds Concise Diff Formatter and Sensitive Data Obfuscation

This item in japanese

Hashicorp has released Terraform 0.14 into general availability. The release introduces a new concise diff format that limits the output to only the elements that are changing. Other improvements include the ability to hide sensitive data and produce lockfiles for provider dependencies.

The concise diff format is a new experimental, on by default feature designed to help understanding what changes Terraform is about to make. The diff rendered used by terraform plan, terraform apply, and terraform show <planfile> have been updated to hide unchanged and irrelevant files in the plan file. At the end of each parent scope a count is shown of the number of hidden elements.

 # will be updated in-place
  ~ resource "test_resource" "foo" {
        id       = "foo_123"
      ~ checksum = 28987129 -> (known after apply)
      - mode     = "test" -> null
        name     = "Foo Test"
        tags     = []
      ~ totals   = {
          - "bar" = 5 -> null
          + "baz" = 5
            # (2 unchanged elements hidden)
      ~ values   = [
          - "alpha",
          - "gamma",
          + "alpaca",
          + "goblin",
          + "zephyr",
            # (23 unchanged elements hidden)
        # (5 unchanged attributes hidden)
        # (3 unchanged blocks hidden)

With these changes, all identifying fields (id, name, and tags) will always be shown. With primitives (string, number, or bool) the field will only be shown if it is changed, added, or removed. With map, set, object, list, and tuple types only added or removed elements will be shown.

With this release, it is now possible to define input variables and module outputs as sensitive. This results in Terraform redacting the value from the CLI output. This is to prevent exposure into systems that are consuming the Terraform output such as logging or version control. Defining a variable as sensitive is done by setting the sensitive argument to true:

variable "user_information" {
  type = object({
    name    = string
    address = string
  sensitive = true

resource "some_resource" "a" {
  name    =
  address = var.user_information.address

This will then obfuscate the value in plan and apply outputs:

Terraform will perform the following actions:

  # some_resource.a will be created
  + resource "some_resource" "a" {
      + name    = (sensitive)
      + address = (sensitive)

Plan: 1 to add, 0 to change, 0 to destroy.

Note that this is only obfuscating the value in the plan; it is still recorded as-is in the state. This means that anyone with access to the state will still be able to see the sensitive data. More details on how to best handle sensitive data within state can be found within the Terraform documentation.

Also included in this release is an automatically generated dependency lockfile when terraform init is run. The lockfile is currently focused on providers. As of Terraform 0.13 it is possible to install providers from customer-controlled or third-party remote registries. This new lockfile helps ensure that workflows can be duplicated from previous runs and therefore it is recommended to commit the generated lockfile into source control. Upgrading to a new provider can be done via terraform init -upgrade.

Hashicorp is also committing to forward compatibility of state files for the time being. Terraform 0.14.0 will be able to share state files with future versions of Terraform. They do note that they may need to change this in a future release if a new state file format is required.

More details can be found within the Terraform changelog. The HashiCorp Learn tutorials have also been updated to include these new features. This release can be downloaded from the Terraform site.

Rate this Article