Sensitive values in Docker additional options are exposed in the plan

[pawelpesz]

Description

If Docker dependencies build is used and the additional options contain a sensitive value, that value is shown in plain text in the plan.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 7.20.1

• Terraform version: 1.11.4

• Provider version(s):

• provider registry.terraform.io/datadog/datadog v3.60.0
• provider registry.terraform.io/hashicorp/aws v5.95.0
• provider registry.terraform.io/hashicorp/external v2.3.4
• provider registry.terraform.io/hashicorp/http v3.4.5
• provider registry.terraform.io/hashicorp/local v2.5.2
• provider registry.terraform.io/hashicorp/null v3.2.4
• provider registry.terraform.io/hashicorp/random v3.7.2
• provider registry.terraform.io/mastercard/restapi v1.20.0
• provider registry.terraform.io/mongodb/mongodbatlas v1.21.4

Reproduction Code [Required]

module "lambda_dependencies" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "~> 7.20.1"

  create_layer    = true
  create_package  = true
  build_in_docker = true

  docker_additional_options = [
    "-e", "SENSITIVE_VALUE=${sensitive("value")}"
  ]
  ...
}

Expected behavior

The sensitive value should not be shown in the plan.

Actual behavior

The sensitive value is exposed in the plan.

Terminal Output Screenshot(s)

# module.lambda_dependencies[0].local_file.archive_plan[0] will be created
  + resource "local_file" "archive_plan" {
      + content              = jsonencode(
            {
              + artifacts_dir = "..."
              + build_plan    = [
                  + [
                      + [
                          + "pip",
                          + "python3.13",
                          + "./../../../../../requirements/requirements.txt",
                          + "python",
                          + null,
                        ],
                    ],
                ]
              + docker        = {
                  + docker_additional_options = [
                      + "-e",
                      + "SENSITIVE_VALUE=value",
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^ THIS SHOULD BE REDACTED
                    ]
                  + docker_build_root         = ""
                  + docker_entrypoint         = null
                  + docker_file               = ""
                  + docker_image              = ""
                  + docker_pip_cache          = null
                  + with_ssh_agent            = false
                }
              + filename      = "..."
              + runtime       = "python3.13"
            }
        )
      + ...
      + id                   = (known after apply)
    }

Additional context

The Lambda dependencies code is referencing private packages published in a Gemfury repository. To access that repository, an access token must be passed to pip.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.