-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[0.13.1] Terraform displaying sensitive values in the logs #26185
Comments
I think I found out why, it's becasue the plan now shows when a data from a datasource changes. That's why it's displaying the sensitive information. So the main question becomes the following: |
Thanks for reporting this! I'm able to reproduce the issue. More detailed reproduction steps for anyone working on this:
The output contains the
|
After looking into this a little further, I now believe it is a bug in the AWS provider. Moving this bug to that repository. Thanks again for the report! The issue is that the |
Upstream issue: hashicorp/terraform-provider-aws#15157 |
Same issue here using something like: (terraform version v0.13.3)
Using this
Any workaround or best practice to store "secrets"? |
@nbari Please upgrade your AWS provider version to incorporate the bug fix. |
hi @alisdair I just tried this: removed updated the version to:
This are the versions I am using now:
Should I do anything else? |
I believe that should be sufficient. I just upgraded to 3.7.0 and the issue is fixed for me: $ terraform-0.13.3 plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.aws_kms_secrets.example: Refreshing state...
aws_kms_key.a: Refreshing state... [id=4f9c0013-e120-4161-8c6f-3be78328d1df]
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
<= read (data resources)
Terraform will perform the following actions:
# data.aws_kms_secrets.example will be read during apply
# (config refers to values not yet known)
<= data "aws_kms_secrets" "example" {
~ id = "2020-09-21 13:18:38.655549 +0000 UTC" -> "2020-09-21 13:18:40.086338 +0000 UTC"
plaintext = (sensitive value)
secret {
context = {}
grant_tokens = []
name = "password"
payload = <<~EOT
AQICAHh8v6S5v9NE0eczrkCl/eYGAxvwnhN9TTCm6U97KGT47AEoY72NqYm7epCh4IckEJs5AAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMxYffoUGQjpOafAlQAgEQgCLkZURWEo2Gi1jU68iRhrhDfGQztnfUMYS1JTjWh2CXDUD1
EOT
}
} |
hi @alisdair my bad, indeed it is fixed 👍 , I thought the full block was not going to appear |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Terraform Version
Terraform Configuration Files
Debug Output
N/A
Crash Output
N/A
Expected Behavior
Terraform does not display the plaintext field of those data sources in the plan.
Actual Behavior
In terraform 0.12.x behavior was that the plain text values of the datasources (which are marked as sensitive in the provider code https://github.com/terraform-providers/terraform-provider-aws/blob/bc480ffb51e2056dd2eaec0dc45af172adc50065/aws/data_source_aws_kms_secrets.go#L50) would be redacted from the terraform logs outputs. Since migrating to terraform 0.13.1, they are shown in plain text.
Steps to Reproduce
Please list the full steps required to reproduce the issue, for example:
terraform init
terraform apply
Additional Context
I tried changing provider version and upgrading from 2.34.0 to 2.57.0 for the AWS provider. I will probably try out the latest version as well soon and post results in the comments
References
I didn't see any issue referencing this. My apologies if it's a duplicate.
The text was updated successfully, but these errors were encountered: