-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
terraform_data support sensitive value flag #32789
Comments
@jbardin I noticed the PR for the terraform_data object and attempted a few tests with it and ran into this issue. |
Hi @Xboarder56! Thanks for sharing this feature request. So we can understand the motivation for your request, it would help if you could share an example Regarding the current behavior of terraform/internal/builtin/providers/terraform/resource_data.go Lines 119 to 121 in 2a1d98b
Therefore I'd suggest that we start by understanding why that isn't working. I don't think we should really need a separate argument for sensitive here because this provider should be able to just preserve the sensitivity of the input, and therefore the "sensitivity flag" would be to just assign a sensitive value to |
@apparentlymart sure thing. When terraform_data runs it gets the input value and the plan shows input as sensitive value but on the output it displays the entire value. I included a partial screenshot of the plan. The reason for the terraform_data object is so I can track changes on it and then trigger a lifecycle replace when the value changes.
|
Hi @Xboarder56, What you see here is the intended behavior, because that is how all providers and resources work. A provider does not see any of the sensitive marks from core, and the returned value can only have the sensitive marks present in that resource's schema. Since the schema must be static and loaded before any planning operations can proceed, there is no way to change the resulting value within the current protocol. Being part of the internal terraform provider, Having That leaves us with no good solution currently, but this is definitely something we need to look into in the future. Thanks! |
I should also add that in most cases if you're only using |
@jbardin does I was thinking as an alternative I could put the Thanks again for both of your support on the issue with it being a release candidate feature. |
@Xboarder56, Can you explain what you are trying to do where you need the Running the output through a module output defeats the purpose of using |
@jbardin The goal is to have a |
Relying on the fact that the However, it's evident from the observed behavior that just passing through sensitive values through this resource type doesn't work today, so I assume that either something changed in the meantime, or perhaps Terraform is treating managed resource types differently than data resource types since our previous experiment with this only tried it with a data resource type. I think it would still be worth understanding what exactly is preventing this from working today, even if we decide that we want to retain that behavior for consistency with the external providers that use the wire protocol. Do you already have a sense of that @jbardin, or would figuring that out require some more research? |
@apparentlymart, all config and state values are unmarked prior to calling any provider method because the protocol cannot serialized marks. Perhaps stripping and re-applying marks could be pushed out into the grpc wrappers (not sure if that was ever considered in the initial implementation), but there is a lot of special handling of marks in core which need to be accounted for, like conditionally calling methods if only marks have changes or if values changed but marks haven't, etc. That does at least sound possible though, and once the internal interface technically accepts marks making the exception within the provider's own code would be possible. |
Thanks! I suppose we must've at one point had a little hole in that which was letting sensitive values come back from data resources, since that was specifically what we were doing with |
@Xboarder56 what I was describing would look more like below. There is no reason to actually pass the value through input/output here, you are only concerned with triggering replacement based on a change in the config value.
|
@jbardin just confirmed your solution works perfect. Would you like me to close this out because as mentioned terraform_data is working as expected in regards to secrets being visible in the outputs? |
Thanks @Xboarder56, I think we can leave this here for now, to take a closer look if there is any possibility of adding this type of value handling to the resource. |
I am interested in this feature as well because I use the terraform_data resource together with a remote-exec provisioner that is triggered on destroy. Terraform tells me that provisioners at destroy-time can only access the object itself. Therefore, I store all connection information, including the SSH private key, in the input of the terraform_data resource. |
I understand there's probably plenty of implementation details and/or design considerations that could make this not worth implementing (like for example the aforementioned fact that the provider protocol wasn't designed to handle dynamically sensitivie values), but in my opinion this is the most intuitive behavior. We already have terraform_data being a special case and with its input/output interface it makes sense intuitively that the output can be marked as sensitive or not, just like a first-class output. That purely from a user's perspective, of course. Since we usually have workarounds or other ways to achieve the same results, it makes a lot of sense to me as a developer that the implementation being non-trivial this should not be implemented and instead maybe just documented with a heads-up note in the docs or something like that, even though the way I see it it's the most intuitive. Just my two cents' worth. |
Note that |
Sorry, I meant it's a special case in concept as a resource/provider, not in implementation. It usually serves the purpose of allowing some tapping into the lifecycle without having to have an actual resource associated underneath, so it's exceptional in that sense, all other resource blocks from other providers will have actual resources underneath of some kind. What I tried to say can be summarized as something along the lines of "I understand if because of implementation details or other design considerations this isn't a good idea and would probably agree if that's the case, but if it's worth anything, for the end-user I believe the sensitive attribute makes sense in the case of the terraform_data resource.". |
An easy, safe, solution could just be that Then, in the case when it really isn't (i.e. there's nothing sensitive in the |
A similar use case here. I'm leveraging a destroy-only provisioner and cannot pass local or other values except self, inputs or replaced_triggers. A bit of an unfortunate event, I cannot think of any workaround at the moment that would make this use case work. |
Let me express another proposal (just out of brainstorming): would it be possible to introduce a new property |
Using terraform 1.8.1 I am getting:
Using the following config:
This happens when the It seems related to the sensitive value flag so I thought I bring this up in this issue. Just upgraded to 1.8.2. Let's see if it still happens. |
Terraform Version
Use Cases
Support sensitive=true for terraform_data objects.
While testing the new terraform_data object I noticed it’s returning sensitive data in the output field but correctly identifying sensitive data in the input value.
I’m currently testing the terraform_data resource to store api credentials in a map to pass into another resource.
Attempted Solutions
No work around for hiding the sensitive output thus far.
Proposal
Support sensitive=true in terraform_data resources.
References
No response
The text was updated successfully, but these errors were encountered: