I have a module database which outputs the database password as a sensitive output
# terraform/database/outputs.tf
output "password" {
value = aws_db_instance.db.password
sensitive = true
}
I have a module app that depends on the database module and wanted to take the database password as a sensitive variable
# terragrunt/_env/app.hcl
dependency "database" {
config_path = find_in_parent_folders("database")
}
inputs = {
db_ password = dependency.database.outputs.password
}
# terraform/app/variables.tf
variable "db_password" {
type = string
sensitive = true
}
When I terragrunt apply the app module, I got the error complaining Unsupported attribute; This object does not have an attribute named "password".. I understand the sensitive=true in the database module's output makes the output not included in the output file. Does the app module take the dependent variable from the output file or the dependent module's state file?
To answer myself, the problem in my case is that my AWS RDS database was not set up with an explicit password but auto-generated with AWS secret manager, so aws_rds_instance.db.password is (effectively) null. So to solve my problem, I need to pass the secret manager id and retrieve the password in the app, instead of relying on the sensitive output/input of terraform.
What is interesting to notice is that, when I pass a "plain" null to a sensitive output, I can see from the state file that Terraform does output this variable password which has a null value.
output "password" {
value = null
sensitive = true
}
But when my value is aws_db_instance.db.password which is a sensitive null (see below), Terraform skips including it in the output. Not sure if this is the expected behavior of Terraform but it is somehow misleading.
> aws_db_instance.db.password
(sensitive value)
> nonsensitive(aws_db_instance.db.password)
tostring(null)