Context

When using Terraform to generate sensitive values (like Azure AD application secrets), you may want to store and retrieve these values securely within Spacelift. This is particularly important when you want to avoid exposing sensitive values in logs or need to access them across different stacks or spaces.

Answer

Spacelift handles sensitive Terraform outputs in the following ways:

1. Between Stacks: You can pass sensitive outputs between stacks using stack dependencies. This works even across different spaces.

   • Enable dependency sharing between stacks

   • Mark your outputs as sensitive in your Terraform configuration

   • Reference these outputs in dependent stacks

2. Limitations:

   • Sensitive outputs are not stored for later viewing in plaintext

   • Users cannot directly access sensitive output values

   • Using nonsensitive() or terraform output commands will expose values in logs and should be avoided

For more information, refer to:

• Enabling sensitive outputs for references

• Stack dependencies documentation