Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for sensitive values used as input to provisioners #26630

Merged
merged 3 commits into from
Oct 19, 2020
Merged

Fixes for sensitive values used as input to provisioners #26630

merged 3 commits into from
Oct 19, 2020

Conversation

alisdair
Copy link
Contributor

Backport of #26611 to 0.14 branch.

@alisdair
terraform: Unmark provisioner arguments
c5cc7cd 
If provisioner configuration or connection info includes sensitive
values, we need to unmark them before calling the provisioner. Failing
to do so causes serialization to error.

Unlike resources, we do not need to capture marked paths here, so we
just discard the marks.
@alisdair
terraform: Hide maybe-sensitive provisioner output
47f8ed4 
If the provisioner configuration includes sensitive values, it's a
reasonable assumption that we should suppress its log output. Obvious
examples where this makes sense include echoing a secret to a file using
local-exec or remote-exec.

This commit adds tests for both logging output from provisioners with
non-sensitive configuration, and suppressing logs for provisioners with
sensitive values in configuration.

Note that we do not suppress logs if connection info contains sensitive
information, as provisioners should not be logging connection
information under any circumstances.
@alisdair
website: Sensitive values in provisioner config
2b485cd
@alisdair alisdair requested a review from a team October 19, 2020 17:46
@codecov
Copy link

codecov bot commented Oct 19, 2020
edited
Loading

Codecov Report

Merging #26630 into v0.14 will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted Files Coverage Δ
terraform/eval_apply.go 74.01% <100.00%> (+1.79%) ⬆️
terraform/eval_diff.go 67.52% <0.00%> (-0.94%) ⬇️
terraform/node_resource_apply_instance.go 75.00% <0.00%> (-0.80%) ⬇️
backend/remote/backend_common.go 52.70% <0.00%> (+0.72%) ⬆️
dag/marshal.go 54.79% <0.00%> (+1.36%) ⬆️
terraform/ui_output_callback.go 100.00% <0.00%> (+100.00%) ⬆️

@alisdair alisdair merged commit a184156 into v0.14 Oct 19, 2020
@alisdair alisdair deleted the alisdair/sensitive-values-provisioners-014 branch October 19, 2020 19:49
@ghost
Copy link

ghost commented Nov 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked as resolved and limited conversation to collaborators Nov 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@pselle pselle pselle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alisdair @pselle