Terraform: local-exec provisioner: suppress sensitive output

Created on 13 Mar 2018  ·  20Comments  ·  Source: hashicorp/terraform

I use the local-exec provisioner with a sensitive variable, e.g. "client_key"

  provisioner "local-exec" {
    command = "echo '${var.client_key}' > ${path.module}/client_key"
  }

The terraform apply command would output the command and the result of the command to stdin.

I propose to add a sensitive argument:

  provisioner "local-exec" {
    command = "echo '${var.client_key}' > ${path.module}/client_key"
    sensitive = true
  }
enhancement provisionelocal-exec
Source
picture tmaier
👍2136 🚀5 👀4 😄4

Most helpful comment

For remote-exec too, please.

picture danrabinowitz on 23 Mar 2018
👍24 👀33 😄3

All 20 comments

For remote-exec too, please.

danrabinowitz picture danrabinowitz on 23 Mar 2018
👍24 👀33 😄3

+1

mwz picture mwz on 27 Jun 2018
👀2 🚀22 👍2

In the mean time, perhaps passing the sensitive key via environment is a reasonable workaround? Should also sidestep any issues with shell escaping of any metacharacters that might be present in the value.

apparentlymart picture apparentlymart on 3 Jul 2018
👍3

@apparentlymart environment can help to some extent but local-exec also put the bash output to logs which will contain the sensitive info

pradeepbhadani picture pradeepbhadani on 7 Sep 2018

Yes, please, this would be really appreciated. I'm trying as well to generate a ssh keypair within terraform, and populate a file with local_file resource, i just need the public key to be print to stdout, yet both of them get printed.

resource "tls_private_key" "ssh" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "local_file" "private_key" {
  count    = "${var.public_ssh_key == "" ? 1 : 0}"
  content  = "${tls_private_key.ssh.private_key_pem}"
  filename = "./keys/id_rsa"
}

resource "local_file" "public_key" {
  count    = "${var.public_ssh_key == "" ? 1 : 0}"
  content  = "${tls_private_key.ssh.public_key_openssh}"
  filename = "./keys/id_rsa.pub"
}

output "public_ssh_key" {
  # Only output a generated ssh public key
  value = "${var.public_ssh_key != "" ? "" : tls_private_key.ssh.public_key_openssh}"
}

Having a sensitive = true field would help

ulm0 picture ulm0 on 28 Nov 2018
👍8

Any progress on this issue?

subesokun picture subesokun on 21 Mar 2019
👍6 🚀22 🎉2 👀1 😄1

any progress??

mayeco picture mayeco on 21 Apr 2019
👍4 🚀22 😄2 👀1 🎉1

+1

obikay200 picture obikay200 on 8 May 2019
👍4 👀22 🎉2 😄2

image

mayeco picture mayeco on 8 May 2019
👍5

Adding +1 comments doesn't achieve anything here because we can't report on them; instead, it just creates notification noise for everyone else who is following the issue. Instead, please add :+1: reactions to the original comment (not to _this_ comment), which we can and do report on as one input for prioritization.

apparentlymart picture apparentlymart on 8 May 2019
👍8

Having a sensitive = true field would help

avthart picture avthart on 2 Apr 2020
👍10 👎1

Another vote here!

darren-johnson picture darren-johnson on 22 Apr 2020
👎3

+1

moreirodamian picture moreirodamian on 4 May 2020
👎1

+1

omarSterckx picture omarSterckx on 6 May 2020
👎1

PUSH! +1

JulianGogK24 picture JulianGogK24 on 15 Jul 2020
👎1

+1

chad-barensfeld-exa picture chad-barensfeld-exa on 21 Jul 2020
👎1

+1

iscooter picture iscooter on 12 Aug 2020
👎1 
variable "super_secret" {
  type        = string
  description = "Use env: TF_VAR_super_secret"
}

resource "null_resource" "super_secret" {
  triggers = {
    hash_super_secret = sha256(var.super_secret)
  }

  provisioner "local-exec" {
    command = "echo $SUPER_SECRET >> /tmp/super_secret.txt"
    environment = {
      SUPER_SECRET = var.super_secret
    }
  }

  provisioner "local-exec" {
    when    = destroy
    command = "rm -f /tmp/super_secret.txt"
  }
}

@apparentlymart idea 😄
@mayeco 👀

mclavel picture mclavel on 19 Oct 2020
😕1

This issue should be addressed as part of the work on sensitive variables and values in Terraform 0.14. When a provider configuration includes a sensitive value (from a sensitive variable, output, or resource attribute), Terraform will suppress logging from the provisioner.

See this screenshot from the #26611 PR, based on the example from @tmaier's original report:

Screenshot of suppressed provisioner output due to <code>sensitive</code> variable

Because the client_key variable is marked sensitive, the derived command is also sensitive, and therefore the normal local-exec logging is suppressed.

If you're interested in this issue, please give this feature a try when you can. It's available in the 0.14.0-beta2 release, out now. We're interested in hearing your feedback!

alisdair picture alisdair on 29 Oct 2020
🎉4

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 29 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thebenwaters picture thebenwaters  ·  3Comments
c4milo picture c4milo  ·  3Comments
pawelsawicz picture pawelsawicz  ·  3Comments
jrnt30 picture jrnt30  ·  3Comments
Seraf picture Seraf  ·  3Comments