-
-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] - Sensitive values causing error in Terraform apply #109
Comments
@0xdutra i'm having the same issue. what was the fix? |
Same here, @0xdutra did you find a workaround? |
@jhole89 |
@0xdutra @mikedizon I managed to use a workaround via secretsmanager (TF v0.14.3, AWS provider v3.24.0, cloudposse/ecs-container-definition v0.46.1). When previously I had the value stored in the resource "aws_secretsmanager_secret" "foo" {
name = "sensitive_foo"
}
resource "aws_secretsmanager_secret_version" "foo" {
secret_id = aws_secretsmanager_secret.foo.id
secret_string = "I am the sensitive value - I most likely come from some other terraform resource"
}
module "container_definition" {
source = "cloudposse/ecs-container-definition/aws"
version = "0.46.1"
...
...
environment = []
secrets = [
{
name : "MY_ENVAR_KEY",
valueFrom : aws_secretsmanager_secret.foo.arn
},
]
}
data "aws_iam_policy_document" "allow_secrets_access" { // <-- Attach this to your ecs_execution_role
statement {
actions = [
"secretsmanager:GetSecretValue",
]
resources = [
aws_secretsmanager_secret.foo.arn,
]
}
} An additional note is that if you use kms to securely store secrets, you'd also need to give data "aws_iam_policy_document" "allow_kms" {
statement {
actions = [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
]
resources = [
aws_kms_key.sensitive_foo.arn,
]
} |
Dear all,
I came across this error in terraform 0.14.3. I believe it has something to do with it here.
https://www.terraform.io/upgrade-guides/0-14.html#sensitive-values-in-plan-output
The text was updated successfully, but these errors were encountered: