Hasicorp’s Sentinel framework allows you to write tests using a mock Terraform plan file. A tarball of mock files can be downloaded from the run detail page on Terraform Cloud:
The tarball includes these files:
What I only recently realised is that the
*-tfplan* files include all your
workspace variables in plaintext, including those marked as sensitive.
To be fair the Terraform docs do warn that mocks can contain sensitive state values but I hadn’t expected the wholespace variables to be included.
Moral of the story: don’t naively commit a Sentinel mock file, downloaded from Terraform Cloud, into source control.