[0.13.1] Terraform displaying sensitive values in the logs

[zopanix]

Terraform Version

Terraform v0.13.1

Terraform Configuration Files

data "aws_kms_secrets" "this" {
  secret {
    name    = "35-local-properties_uat"
    payload = file("./templates/uat/hybris/35-local.properties")
  }
}

Debug Output

N/A

Crash Output

N/A

Expected Behavior

Terraform does not display the plaintext field of those data sources in the plan.

Actual Behavior

In terraform 0.12.x behavior was that the plain text values of the datasources (which are marked as sensitive in the provider code https://github.com/terraform-providers/terraform-provider-aws/blob/bc480ffb51e2056dd2eaec0dc45af172adc50065/aws/data_source_aws_kms_secrets.go#L50) would be redacted from the terraform logs outputs. Since migrating to terraform 0.13.1, they are shown in plain text.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_kms_secrets.this will be read during apply
  # (config refers to values not yet known)
 <= data "aws_kms_secrets" "this"  {
      ~ id        = "2020-09-09 15:25:48.648201625 +0000 UTC" -> "2020-09-09 15:27:13.420112712 +0000 UTC"
        plaintext = {
            "35-local-properties_perf" = <<~EOT
< SENSITIVE CONTENT HERE >
            EOT

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

Additional Context

I tried changing provider version and upgrading from 2.34.0 to 2.57.0 for the AWS provider. I will probably try out the latest version as well soon and post results in the comments

References

I didn't see any issue referencing this. My apologies if it's a duplicate.

[zopanix]

I think I found out why, it's becasue the plan now shows when a data from a datasource changes. That's why it's displaying the sensitive information.

So the main question becomes the following:
It it normal for a field that has the sensitive structure in it's field to be displayed during the plan logs to show the update that will happen ? Shouldn't terraform put sensitive just like it would on an output that is said to sensitive ?

[alisdair]

Thanks for reporting this! I'm able to reproduce the issue.

More detailed reproduction steps for anyone working on this:

1. Create an aws_kms_key by applying this configuration:

   provider "aws" {
     region = "us-east-1"
   }
   
   resource "aws_kms_key" "a" {
     description             = "issue-26185"
     deletion_window_in_days = 10
   }
   
   output "key_id" {
     value = aws_kms_key.a.id
   }

2. Use the key ID with the aws CLI to generate a secret:

   $ echo foobar > secret.plaintext
   $ aws kms encrypt --key-id $(terraform output key_id) \
     --plaintext fileb://secret.plaintext --output text \
     --query CiphertextBlob > secret.ciphertext

3. Update the Terraform configuration and apply:

   data "aws_kms_secrets" "example" {
     secret {
       name = "password"
       payload = file("./secret.ciphertext")
     }
   }
   
   output "password" {
     value = data.aws_kms_secrets.example.plaintext["password"]
   }

The output contains the plaintext attribute of the data source, which is marked sensitive:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_kms_secrets.example will be read during apply
  # (config refers to values not yet known)
 <= data "aws_kms_secrets" "example"  {
      ~ id        = "2020-09-15 15:47:43.962951 +0000 UTC" -> "2020-09-15 15:47:45.4878 +0000 UTC"
        plaintext = {
            "password" = <<~EOT
                foobar
            EOT
        }

        secret {
            context      = {}
            grant_tokens = []
            name         = "password"
            payload      = <<~EOT
                AQICAHjpX9+f0sxjybhp6s3/eYcQBp1JBfIeo7TCcsE8fsc8ygESfPtH1APgqPPSbYm+wphaAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMrra7zgC0wDleAUjMAgEQgCJCTSZ4/PGWIZ3CZp7zt0n9hyrFRNcYTm2U9qFGWmraTmWJ
            EOT
        }
    }

Plan: 0 to add, 0 to change, 0 to destroy.

[alisdair]

After looking into this a little further, I now believe it is a bug in the AWS provider. Moving this bug to that repository. Thanks again for the report!

The issue is that the plaintext attribute itself is not marked "sensitive", only the elements of the map. This information is lost when the provider schema gets to Terraform; the solution is to mark the entire map as sensitive.

[alisdair]

Upstream issue: hashicorp/terraform-provider-aws#15157

[nbari]

Same issue here using something like: (terraform version v0.13.3)

data "aws_kms_secrets" "vault" {
  secret {
    name    = "token"
    payload = file("./key.yml.enc")
  }
}

locals {
  vault = yamldecode(data.aws_kms_secrets.vault.plaintext["token"])
}

Using this

  required_providers {
    aws = {
      region  = "us-east-1"
      version = "~> 3.5.0"
    }

    random = {
      version = "~> 2.3.0"
    }
  }

Any workaround or best practice to store "secrets"?

[alisdair]

@nbari Please upgrade your AWS provider version to incorporate the bug fix.

[nbari]

hi @alisdair I just tried this:

removed .terraform

updated the version to:

 required_providers {
    aws = {
      region  = "us-east-1"
      version = "~> 3.7.0"
    }

This are the versions I am using now:

$ terraform version
Terraform v0.13.3
+ provider registry.terraform.io/hashicorp/aws v3.7.0
+ provider registry.terraform.io/hashicorp/random v2.3.0

Should I do anything else?

[alisdair]

I believe that should be sufficient. I just upgraded to 3.7.0 and the issue is fixed for me:

$ terraform-0.13.3 plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_kms_secrets.example: Refreshing state...
aws_kms_key.a: Refreshing state... [id=4f9c0013-e120-4161-8c6f-3be78328d1df]

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_kms_secrets.example will be read during apply
  # (config refers to values not yet known)
 <= data "aws_kms_secrets" "example"  {
      ~ id        = "2020-09-21 13:18:38.655549 +0000 UTC" -> "2020-09-21 13:18:40.086338 +0000 UTC"
        plaintext = (sensitive value)

        secret {
            context      = {}
            grant_tokens = []
            name         = "password"
            payload      = <<~EOT
                AQICAHh8v6S5v9NE0eczrkCl/eYGAxvwnhN9TTCm6U97KGT47AEoY72NqYm7epCh4IckEJs5AAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMxYffoUGQjpOafAlQAgEQgCLkZURWEo2Gi1jU68iRhrhDfGQztnfUMYS1JTjWh2CXDUD1
            EOT
        }
    }

[nbari]

hi @alisdair my bad, indeed it is fixed 👍 , I thought the full block was not going to appear

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.