terraformで、sensitiveな値が含まれるblockは、plan結果で差分が表示されません。セキュリティを考慮しての仕様ですが、差分が確認できず、不便なことがあります。
# aws_elastic_beanstalk_environment.this will be updated in-place
~ resource "aws_elastic_beanstalk_environment" "this" {
# 略
~ setting {
# At least one attribute in this block is (or was) sensitive,
# so its contents will not be displayed.
}
}
以下のようなスクリプトを用意することで、差分を見ることができます(要jq)。
tf_diff.sh
#!/usr/bin/env bash
set -euo pipefail
TF_TARGET=$1
terraform plan -target "${TF_TARGET}" -out=tmp.tfplan
diff -U5 \
<(terraform show -json tmp.tfplan | jq -r '.resource_changes[] | select(.address == "'"$TF_TARGET"'") | .change.before') \
<(terraform show -json tmp.tfplan | jq -r '.resource_changes[] | select(.address == "'"$TF_TARGET"'") | .change.after') \
|| true # diffがあってexit codeが1になっても後続の処理へ進ませるため
rm tmp.tfplan
$ ./tf_diff.sh aws_elastic_beanstalk_environment.this
# 略
Saved the plan to: tmp.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "tmp.tfplan"
--- /dev/fd/63 2022-10-24 08:12:02.000000000 +0900
+++ /dev/fd/62 2022-10-24 08:12:02.000000000 +0900
@@ -937,353 +937,353 @@
# 略
{
"name": "FOO",
"namespace": "aws:elasticbeanstalk:application:environment",
"resource": "",
- "value": "false"
+ "value": "true"
},
# 略
環境
- Terraform 1.3.0
- jq 1.6
Discussion