Sensitive Terraform Cloud variables are included in Sentinel mocks

Hashicorp’s Sentinel framework allows you to write tests using a mock Terraform plan file. A tarball of mock files can be downloaded from the run detail page on Terraform Cloud:

The tarball includes these files:

• mock-tfconfig-v2.sentinel
• mock-tfconfig.sentinel
• mock-tfplan-v2.sentinel
• mock-tfplan.sentinel
• mock-tfrun.sentinel
• mock-tfstate-v2.sentinel
• mock-tfstate.sentinel
• sentinel.json

What I only recently realised is that the *-tfplan* files include all your workspace variables in plain text, including those marked as sensitive.

To be fair the Terraform docs do warn that mocks can contain sensitive state values but I hadn’t expected the workspace variables to be included.

Moral of the story: don’t naively commit a Sentinel mock file, downloaded from Terraform Cloud, into source control.