On , I learnt ...

Sensitive Terraform Cloud variables are included in Sentinel mocks

Hashicorp’s Sentinel framework allows you to write tests using a mock Terraform plan file. A tarball of mock files can be downloaded from the run detail page on Terraform Cloud:

Terraform Cloud download Sentinel mocks

The tarball includes these files:

What I only recently realised is that the *-tfplan* files include all your workspace variables in plain text, including those marked as sensitive.

To be fair the Terraform docs do warn that mocks can contain sensitive state values but I hadn’t expected the workspace variables to be included.

Terraform Cloud mocks warning

Moral of the story: don’t naively commit a Sentinel mock file, downloaded from Terraform Cloud, into source control.