Add sensitive variable docs for nested blocks

Add note to docs about nested block behavior for sensitive variables
2020-10-05 11:34:04 -04:00 · 2020-10-05 11:34:04 -04:00 · 4d01fc88fc
parent 367c82c5ae
commit 4d01fc88fc
1 changed files with 26 additions and 0 deletions
--- a/website/docs/configuration/variables.html.md
+++ b/website/docs/configuration/variables.html.md
@ -250,6 +250,32 @@ Terraform will perform the following actions:
 Plan: 1 to add, 0 to change, 0 to destroy.
 ```

+In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:
+
+```
+# main.tf
+
+resource "some_resource" "a" {
+  nested_block {
+    user_information  = var.user_information # a sensitive variable
+    other_information = "not sensitive data"
+  }
+}
+
+# CLI output
+
+Terraform will perform the following actions:
+
+  # some_resource.a will be updated in-place
+  ~ resource "some_resource" "a" {
+      ~ nested_block {
+          # At least one attribute in this block is (or was) sensitive,
+          # so its contents will not be displayed.
+        }
+    }
+
+```
+
 #### Cases where Terraform may disclose a sensitive variable

 A `sensitive` variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if "foo" is a sensitive value: `"Invalid value 'foo' for field"`