website: Initial docs for the provider_sensitive_attrs experiment

This is under a heading "Sensitive Resource Attributes" on the assumption
that if we later stabilize this feature then this heading will live on
with some different content that describes the propagation of sensitive
values from resource attributes, rather than describing the experiment.
This commit is contained in:
Martin Atkins 2020-12-01 17:25:11 -08:00
parent 67fe3bfd69
commit 832bd5f41f
1 changed files with 40 additions and 0 deletions

View File

@ -247,3 +247,43 @@ effect:
until the apply phase, causing the apply to fail.
Unknown values appear in the `terraform plan` output as `(not yet known)`.
### Sensitive Resource Attributes
When defining the schema for a resource type, a provider developer can mark
certain attributes as _sensitive_, in which case Terraform will show a
placeholder marker `(sensitive)` instead of the actual value when rendering
a plan involving that attribute.
The treatment of these particular sensitive values is currently different than
for values in
[input variables](/docs/configuration/variables.html)
and
[output values](/docs/configuration/outputs.html)
that have `sensitive = true` set. Sensitive resource attributes will be
obscured in the plan when they appear directly, but other values that you
_derive_ from a sensitive resource attribute will not themselves be considered
sensitive, and so Terraform will include those derived values in its output
without redacting them.
Terraform v0.14.0 and later has an
[experimental feature](/docs/configuration/terraform.html#experimental-language-features)
to treat resource attributes that are marked as sensitive in the same way as
sensitive input variables and output values, so that Terraform will consider
any derived values as sensitive too. You can activate that experiment for your
module using the `provider_sensitive_attrs` experiment keyword:
```hcl
terraform {
experiments = [provider_sensitive_attrs]
}
```
The behavior of this experiment might change even in future patch releases of
Terraform, so we don't recommend using this experiment in modules you use
to describe production infrastructure.
If you enable this experiment and you have exported any sensitive resource
attributes via your module's output values then you will see an error unless
you also mark the output value as `sensitive = true`, confirming your intent
to export it.