On , I learnt ...
Sensitive Terraform Cloud variables are included in Sentinel mocks
Hashicorp’s Sentinel framework allows you to write tests using a mock Terraform plan file. A tarball of mock files can be downloaded from the run detail page on Terraform Cloud:
The tarball includes these files:
mock-tfconfig-v2.sentinel
mock-tfconfig.sentinel
mock-tfplan-v2.sentinel
mock-tfplan.sentinel
mock-tfrun.sentinel
mock-tfstate-v2.sentinel
mock-tfstate.sentinel
sentinel.json
What I only recently realised is that the *-tfplan*
files include all your
workspace variables in plain text, including those marked as sensitive.
To be fair the Terraform docs do warn that mocks can contain sensitive state values but I hadn’t expected the workspace variables to be included.
Moral of the story: don’t naively commit a Sentinel mock file, downloaded from Terraform Cloud, into source control.