Terraform-provider-aws: [0.13.1] Terraform displaying sensitive values in the logs
_This issue was originally opened by @zopanix as hashicorp/terraform#26185. It was migrated here as a result of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.13.1
Terraform Configuration Files
data "aws_kms_secrets" "this" {
secret {
name = "35-local-properties_uat"
payload = file("./templates/uat/hybris/35-local.properties")
}
}
Debug Output
N/A
Crash Output
N/A
Expected Behavior
Terraform does not display the plaintext field of those data sources in the plan.
Actual Behavior
In terraform 0.12.x behavior was that the plain text values of the datasources (which are marked as sensitive in the provider code https://github.com/terraform-providers/terraform-provider-aws/blob/bc480ffb51e2056dd2eaec0dc45af172adc50065/aws/data_source_aws_kms_secrets.go#L50) would be redacted from the terraform logs outputs. Since migrating to terraform 0.13.1, they are shown in plain text.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
~ update in-place
<= read (data resources)
Terraform will perform the following actions:
# data.aws_kms_secrets.this will be read during apply
# (config refers to values not yet known)
<= data "aws_kms_secrets" "this" {
~ id = "2020-09-09 15:25:48.648201625 +0000 UTC" -> "2020-09-09 15:27:13.420112712 +0000 UTC"
plaintext = {
"35-local-properties_perf" = <<~EOT
< SENSITIVE CONTENT HERE >
EOT
Steps to Reproduce
Please list the full steps required to reproduce the issue, for example:
terraform initterraform apply
Additional Context
I tried changing provider version and upgrading from 2.34.0 to 2.57.0 for the AWS provider. I will probably try out the latest version as well soon and post results in the comments
References
I didn't see any issue referencing this. My apologies if it's a duplicate.
hashibot[bot]
All 5 comments
This was reported in core, and I was able to reproduce it. After some debugging, I think the issue is here: https://github.com/terraform-providers/terraform-provider-aws/blob/d7835fba1bcaed6d983830552595b9b57a59eaeb/aws/data_source_aws_kms_secrets.go#L45-L52
The Sensitive attribute in the map's element type does not make it through the plugin protocol. I think the only way to make this value sensitive is to mark the entire attribute as Sensitive:
diff --git a/aws/data_source_aws_kms_secrets.go b/aws/data_source_aws_kms_secrets.go
index ef39b763e..15505b4ff 100644
--- a/aws/data_source_aws_kms_secrets.go
+++ b/aws/data_source_aws_kms_secrets.go
@@ -43,12 +43,10 @@ func dataSourceAwsKmsSecrets() *schema.Resource {
},
},
"plaintext": {
- Type: schema.TypeMap,
- Computed: true,
- Elem: &schema.Schema{
- Type: schema.TypeString,
- Sensitive: true,
- },
+ Type: schema.TypeMap,
+ Computed: true,
+ Sensitive: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
},
},
}
The above patch fixes the issue for me.
alisdair
on 15 Sep 2020
ewbankkit
on 15 Sep 2020
The fix has been merged and will release with v3.7.0 of the Terraform AWS Provider, likely out this Thursday.
anGie44
on 16 Sep 2020
This has been released in version 3.7.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
hashibot[bot]
on 18 Sep 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 16 Oct 2020
Related issues
joelittlejohn
ยท
3Comments
gothrek22
ยท
3Comments
ccslamstack
ยท
3Comments
blaltarriba
ยท
3Comments
ghost
ยท
3Comments
Most helpful comment
This was reported in core, and I was able to reproduce it. After some debugging, I think the issue is here: https://github.com/terraform-providers/terraform-provider-aws/blob/d7835fba1bcaed6d983830552595b9b57a59eaeb/aws/data_source_aws_kms_secrets.go#L45-L52
The
Sensitiveattribute in the map's element type does not make it through the plugin protocol. I think the only way to make this value sensitive is to mark the entire attribute asSensitive:The above patch fixes the issue for me.