Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Error: Output refers to sensitive values" when applying fleet configuration #1018

Closed
JulianCBC opened this issue Oct 27, 2023 · 1 comment · Fixed by #1019
Closed

"Error: Output refers to sensitive values" when applying fleet configuration #1018

JulianCBC opened this issue Oct 27, 2023 · 1 comment · Fixed by #1019
Labels
bug 🐛 Something isn't working

Comments

@JulianCBC
Copy link
Contributor

Describe the bug

When applying a spot-fleet configuration, the apply fails with this error:

Error: Output refers to sensitive values

  on outputs.tf line 56:
  56: output "runner_user_data" {

To reduce the risk of accidentally exporting sensitive data that was
intended to be only internal, Terraform requires that any root module
output containing sensitive data be explicitly marked as sensitive, to
confirm your intent.

If you do intend to export this data, annotate the output value as
sensitive by adding the following argument:
    sensitive = true

This is because that output is exporting local.template_user_data which is templated using local.template_gitlab_runner which is templated using tls_private_key.fleet[0].private_key_pem which is flagged as sensitive according to the documentation. https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key#private_key_pem

To Reproduce

This is reproducible using any fleet configuration. Relevant parts of my configuration:

  environment = "test-runners"

  vpc_id    = var.vpc_id
  subnet_id = var.public_subnets[2]

  runner_gitlab_registration_config = {
    registration_token = var.runners_token
    description        = "Test Runners"
    locked_to_project  = "true"
    run_untagged       = "true"
    maximum_timeout    = "3600"
  }

  runner_instance = {
    name       = "Test Runners"
    ssm_access = true
  }

  runner_gitlab = {
    url = "https://gitlab.com"
  }

  runner_worker_docker_machine_instance = {
    private_address_only = false
    idle_count           = 0
    root_size            = 16
    subnet_ids           = var.public_subnets
    types = [
      "m6i.large", "m6a.large", "m5zn.large", "m5a.large", "m5.large",
    ]
  }

  runner_worker_docker_machine_fleet = {
    enable = true
  }

Expected behavior

Apply proceeds without errors.
@JulianCBC
Copy link
Contributor Author

As far as I can tell, the underlying issue here - private key being sensitive - is the cause of basically all the various issues around sensitive output values since the fleet support was introduced.

  1. Whoever developed that code didn't (fully) test it using non-fleet configurations, so they didn't discover that the nonsensitive() call was incorrect
  2. When that issue was fixed: runner_user_data can not output nonsensitive value  #828 -> revert: removes the nonsensitive from runner_user_data output #832, the issue with the fleet configuration wasn't discovered

So now we end up here with the fleet configuration broken.

The "simple" fix is to throw a nonsensitive() around the tls_private_key.fleet[0].private_key_pem in the inner template, but another fix would be to make the output conditional based on whether fleet is enabled (i.e. fleet ? nonsensitive(value) : value) or just removing the output entirely.

@JulianCBC JulianCBC mentioned this issue Oct 27, 2023
Merged
ryancausey added a commit to ryancausey/terraform-aws-gitlab-runner that referenced this issue Nov 8, 2023
@ryancausey
fix: remove nonsensitive call from runner_user_data output variable
16325a8 
This also sets the variable to be sensitive, as there are scenarios
where the output becomes sensitive. See cattle-ops#1018.
@ryancausey ryancausey mentioned this issue Nov 8, 2023
Merged
@kayman-mk kayman-mk mentioned this issue Nov 9, 2023
Closed
@kayman-mk kayman-mk added the bug 🐛 Something isn't working label Nov 9, 2023
kayman-mk pushed a commit that referenced this issue Nov 10, 2023
@JulianCBC
fix: delete the 'runner_config_toml_rendereded' output variable (#1019)
3f7eaea 
## Description

Due to calls to `nonsensitive` in case the data is sensitive or not
calling the function in the other case, the code gets very complex. The
output variable `runner_config_toml_rendereded` was introduced for
easier debugging, but we still have the option to write the whole Runner
configuration to a local file (`debug.write_runner_config_to_file`).

This "fixers" that issue by just deleting the output variable.

Closes #1018

## Migrations required

Usually not. For debugging purposes, set the
`debug.write_runner_config_to_file` to `true`. The configuration is
written to a file on your local disk (directory `debug/`)

## Verification

Only linted as this is only deleting an output variable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@kayman-mk @JulianCBC