Hello bear with me as i am a nooby, I’m working on a task to export Azure resources and resource groups into Terraform scripts and state files using the aztfexport tool and saving them in azure blob as backup. The goal is to automate this process using powershell script with Read only privileges and avoid exporting sensitive information (e.g., secrets).

Interactive Mode Works for Manually Excluding Secrets:

When running **aztfexport ** with read-only access in interactive mode, I can manually exclude secrets during the export process. This works well and avoids issues related to accessing sensitive information (e.g., Key Vault secrets or certificates). However, the resulting Terraform configuration isn’t fully functional for terraform plan because sensitive fields are replaced with placeholders like:

resource "azurerm_linux_virtual_machine" "res-2" {
  admin_password = "ignored-as-imported"
}

Non-Interactive Mode Fails with Read-Only Access:

When running aztfexport in non-interactive mode the tool attempts to export sensitive fields like Certificates and Secrets. Since my read-only account doesn’t have access to these fields, the export process fails.

Goal

I want to ensure secrets and certificates are excluded automatically during the export process, particularly in non-interactive mode. Ideally, I’d like to use a query, configuration, or script to handle this without requiring manual intervention.

How can I configure aztfexport to automatically exclude sensitive information, such as secrets or admin passwords, in non-interactive mode, possibly using queries, filters, flags, or other configurations to prevent failures during the export process? Can you recommend another way to go about backing up my resources?
Any guidance would be greatly appreciated!