Skip to content
/ tfreveal Public

tfreveal shows a Terraform plan with all the secret values revealed

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

breml/tfreveal

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
.github
.github
 
 
testdata
testdata
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.goreleaser.yml
.goreleaser.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Taskfile.yml
Taskfile.yml
 
 
format.go
format.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 

Repository files navigation

tfreveal

Test Status Go Report Card License

tfreveal is an open-source tool designed to enhance the visibility of Terraform plan files by displaying all differences in resources and outputs, including sensitive values. Unlike Terraform, which hides sensitive data, tfreveal reveals these values to ensure complete transparency in your infrastructure changes.

Motivation

Terraform does mask sensitive values in the output (e.g. from terraform plan) in order to protect them from being revealed to unauthorized 3rd parties.

But sometimes it is neccessary to see the exact changes, Terraform will perform to the infrastructure including all the changes to sensitive values. In particular, if one observes drift between the Terraform state and the actual state of the infrastructure, this becomes inevitable. So far, Terraform does not provide a feature to forcefully unmask the sensitive values in the concise diff plan outputs.

The general advice given by the Terraform maintainers is to use the JSON output in such cases. While the JSON output does provide all the necessary information, it is not perticularely easy to read for humans and to spot small differences. It gets even more complicated, if the changes are contained in larger JSON encoded values, that are marked as sensitive.

There exists instructions using for example jq, but the process stays manual, cumbersome and error prone.

tfreveal is here to fix this and provide an easy way to show the concise diff plan outputs with all sensitive values revealed.

Installation

Download the latest release from the releases page.

Usage

The plan file generated from Terraform can be directly piped to tfreveal:

$ terraform plan -out plan.out
$ terraform show -json plan.out | tfreveal

Alternatively, the plan file can also be passed as argument:

$ terraform plan -out plan.out
$ terraform show -json plan.out > plan.json
$ tfreveal plan.json

Development

The task to update the test data and the golden files is provided in the Taskfile.yml and can be executed by running task gen-all. This requires the task tool to be installed. Please refer to the official documentation.

Additionally the terraform command needs to be present in the PATH. Follow the official installation instructions.

Author

Copyright 2024 by Lucas Bremgartner (breml)

License

MIT License

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

tfreveal shows a Terraform plan with all the secret values revealed

Topics

go golang terraform sensitive-data opentofu

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v0.0.3 Latest
Jun 9, 2024
+ 2 releases

Contributors 2

  •  
  •  

Languages