Can Terraform mask variables in the console output?

Question

I wanted to post this as a feature request but I wanted to see if anyone else has found some clever way of doing this before I post. Or maybe someone from Hashicorp can tell me this will be a feature in the coming

I have looked high and low for some way to mask variables from the console when running terraform apply/show. Preferably trying to mask variables using a local-exec provisioner when passing variables to a script.

A tool called Terrahelp is the only thing I can find that will do this but it will only apply to variables in a tfvars file which doesn't allow interpolations. This doesn't help since we are trying to use Vault to keep secrets out of the terraform files.

Current Versions
Terraform v0.11.7
provider.null v1.0.0
provider.template v1.0.0
provider.vault v1.3.1
provider.vsphere v1.8.1

Use Case

provisioner "local-exec" {
    command = "&'${path.module}\\scripts\\script.ps1' -name ${var.node_name} -pass '${var.pass}' -user ${var.user} -server ${var.server}"
    interpreter = ["Powershell", "-Command"]
  }  

Attempted Solutions I'm using Vault to keep secrets out of the Terraform files, so I am using the vault provider and calling data from it. I have tried to create a module and output the secrets with the sensitive = true value and then calling that module to use the secrets however that still shows in the console.

Proposal

Allow some kind of sensitive value much like output to variables within Terraform. So if scripts like the above are called in the console they won't show sensitive variable information.

References https://github.com/hashicorp/terraform/issues/16114 https://github.com/hashicorp/terraform/issues/16643

Answer 1

Terraform 13 was released since this question was asked, and allows variables to be marked as sensitive and not shown in the console.

https://www.terraform.io/docs/configuration/outputs.html#sensitive-suppressing-values-in-cli-output