-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sensitive tfe_variable values are wiped upon description change #839
Comments
Thank you for submitting this issue! We'll take a look and get back to you about this. |
I investigated this, and reproduced the problem pretty quickly. Unfortunately, this is one of a family of related bugs where the terraform-plugin-sdk/v2 offers no way to distinguish between "absent" and "zero," and bad things consequently happen. Given that we've hit a few of these by now, we've decided to do a spike on adopting the new terraform-plugin-framework, in the hope that its improved capabilities for telling apart different kinds of nothing will actually allow us to solve problems like this. Stay tuned! |
I had the same issue but triggered differently, via import. Not a big issue for me if this does not get fixed rapidly |
This commit adds a complete re-implementation of tfe_variable. It keeps most existing behavior, but fixes a notable bug (#839) where we were unable to respect `ignore_changes` for sensitive variable values. This was impossible to address in the v2 SDK, but is incredibly straightforward with the new framework. Although the effort required for this rewrite wouldn't necessarily be justified for a single bug fix, it: - Helps validate our hypothesis that the framework can indeed address the recurring scourge of "bugs not fixable due to inability to distinguish zero from absent". - Gets the framework muxed in and ready to rock and roll, so we can immediately start implementing new resource types in it. - Establishes some initial patterns, practices, and examples for using the new framework within this particular provider. Anyway, here's some interesting sidenotes about this rewrite: - The migration docs for the new framework were invaluable: https://developer.hashicorp.com/terraform/plugin/framework/migrating - Likewise the working code for the "HashiCups" teaching provider: https://github.com/hashicorp/terraform-provider-hashicups-pf - Note that I omitted some logic in most of the existing CRUD methods that fetched the workspace prior to trying to manage the variable. This logic dated from the time when the workspace_id argument used the `org/ws_name` format instead of an external ID; it's no longer necessary now that we have a usable ID right off the bat. - Attributes that have a `Default` must also be `Computed`, apparently. I guess I can see it. - Most of the go-tfe struct types (update options, etc.) are only constructed by one CRUD method, but most the methods need to convert a go-tfe value to a model that we can use to update the state; thus, that's the logic I pulled out into helper funcs. Conveniently, that's also the point where we need to take some extra care to make sure we're preserving our last-known information about the value of a sensitive variable, so we're able to keep that logic centralized too.
Fix for this is in, and slated for what'll probably be v0.45.0. |
Terraform Cloud/Enterprise version
Terraform Enterprise v202209-2
Terraform version
Terraform Configuration Files
Parent Workspace
Child Workspace
Debug Output
Expected Behavior
Parent
- Apply workspace as coded above (should succeed)a. Populate the values for
AWS_ACCESS_KEY_ID
&AWS_SECRET_KEY
in the TFE UIChild
- Apply workspace as coded above (should succeed)Parent
- Remove the comment fortfe_variable.aws_secret_access_key
to add thedescription
. Runterraform apply
& confirm (should succeed)Child
- Modify theaws_s3_bucket.b
resource'sbucket
attribute with an extra character. Runterraform plan
.The plan run in step 5 should present the
bucket
change.Actual Behavior
The
parent
run adding thedescription
attribute on thetfe_variable.aws_secret_access_key
resource only shows the description change, given theignore_changes
includes thevalue
attribute. However, thechild
workspace fails due to a provider authentication error below.The change to the
description
on the environment variableAWS_SECRET_ACCESS_KEY
has inadvertently and silently wiped the value that was previously added manually.Additional Context
sensitive
variables, as non-sensitive variables seem unchanged in this scenario.env
andterraform
variable types are affected.description
change via the TFE UI or API. Only through thetfe
provider.The text was updated successfully, but these errors were encountered: