Output of the run shows sensitive outputs

[stueccles]

Because the output of the run is being got directly from the state it prints sensitive output values to the github action log.

Would be good to suppress this like the CLI does or at least make it an option.

[kvrhdn]

Ouch, that's not good. We are indeed just printing all outputs here...

https://github.com/kvrhdn/go-tfe-run/blob/104d8cce779fddd82ad7a9e81fe74090b02742a9/tferun.go#L311-L314

I see it's possible to mark an output as sensitive: https://www.terraform.io/docs/language/values/outputs.html#sensitive-suppressing-values-in-cli-output
Do you know if this is recorded in the state file as well?

The current implementation downloads the state file from Terraform Cloud and then maps the received []byte onto a minimal implementation of the state file. If sensitive is part of the state file, we can also parse it and filter it from the printing then.

IMO there are two good options:

• add an option to not print any outputs at all
• check that an output is sensitive, if so don't print it

What would work best for your workflow?

[stueccles]

For my workflow I don't need outputs to be printed at all.

If you get the state version through the API (and include the outputs with ?include=outputs) https://www.terraform.io/docs/cloud/api/state-versions.html#fetch-the-current-state-version-for-a-workspace the response will tell you if an output has been marked sensitive or not.

[dkirrane]

Created a PR for this kvrhdn/go-tfe-run#19