Skip to content

Variable validation reveals sensitive value #2219

New issue
New issue
Closed
Closed
Variable validation reveals sensitive value#2219
Labels
acceptedThis issue has been accepted for implementation.bugSomething isn't working
@ancoron

Description

@ancoron
ancoron
opened on Nov 26, 2024

OpenTofu Version

OpenTofu v1.8.5
on linux_amd64

OpenTofu Configuration Files

variable "passphrase" {
  type      = string
  sensitive = true
  nullable  = false
  validation {
    condition     = length(var.passphrase) > 23
    error_message = "Provided passphrase is not long enough."
  }
}

Debug Output

https://gist.github.com/ancoron/55b17c19a8735266b2a4907618fd30ab

Expected Behavior

Sensitive value masked just like in other output places

Actual Behavior

The value leaks into output:

│ Error: Invalid value for variable
│ 
│   on main.tf line 1:
│    1: variable "passphrase" {
│     ├────────────────
│     │ var.passphrase is "Leaked through logs"
│ 
│ Provided passphrase is not long enough.
│ 
│ This was checked by the validation rule at main.tf:5,3-13.

Steps to Reproduce

  1. tofu plan -var='passphrase=Leaked through logs'

Additional Context

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    acceptedThis issue has been accepted for implementation.bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions