Sensitive outputs logged in runner #239

caspervk · 2022-05-24T16:35:06Z

I have defined the following terraform output:

output "client_secret" {
  value = keycloak_openid_client.client.client_secret
  sensitive = true
}

and Terraform resource:

apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
  name: my-terraform
spec:
  ...
  writeOutputsToSecret:
    name: my-secret
    outputs:
      - client_secret

The tf-runner logs:

2022-05-24T16:25:39.798905345Z Apply complete! Resources: 2 added, 0 changed, 0 destroyed.                                                                                                                                                  
2022-05-24T16:25:39.798907631Z                                                                                                                                                                                                              
2022-05-24T16:25:39.798909751Z Outputs:                                                                                                                                                                                                     
2022-05-24T16:25:39.798911665Z                                                                                                                                                                                                              
2022-05-24T16:25:39.798913849Z client_secret = <sensitive>                                                                                                                                                                                  
2022-05-24T16:25:39.806019983Z {"level":"info","ts":"2022-05-24T16:25:39.805Z","logger":"runner.terraform","msg":"error from SIGINT: no such process"}                                                                                      
2022-05-24T16:25:39.812253752Z {"level":"info","ts":"2022-05-24T16:25:39.812Z","logger":"runner.terraform","msg":"creating outputs"}                                                                                                        
2022-05-24T16:25:39.812283207Z {"level":"info","ts":"2022-05-24T16:25:39.812Z","logger":"runner.terraform","msg":"[INFO] running Terraform command: /usr/local/bin/terraform output -no-color -json"}                                       
2022-05-24T16:25:39.925853638Z {                                                                                                                                                                                                            
2022-05-24T16:25:39.925873087Z   "client_secret": {                                                                                                                                                                                         
2022-05-24T16:25:39.925874988Z     "sensitive": true,                                                                                                                                                                                       
2022-05-24T16:25:39.925876380Z     "type": "string",                                                                                                                                                                                        
2022-05-24T16:25:39.925877826Z     "value": "hunter2"                                                                                                                                                                                       
2022-05-24T16:25:39.925879211Z   }                                                                                                                                                                                                          
2022-05-24T16:25:39.925880510Z }                                                                                                                                                                                                            
2022-05-24T16:25:39.927366018Z {"level":"info","ts":"2022-05-24T16:25:39.927Z","logger":"runner.terraform","msg":"error from SIGINT: no such process"}                                                                                      
2022-05-24T16:25:39.927705665Z {"level":"info","ts":"2022-05-24T16:25:39.927Z","logger":"runner.terraform","msg":"write outputs to secret"}

The text was updated successfully, but these errors were encountered:

chanwit · 2022-05-24T17:50:53Z

Thank you @caspervk
Very good catch.

caspervk · 2022-05-26T10:56:48Z

WOW! Thanks for the very quick fix! Sorry for not getting back to you and testing the PR. Thanks a lot!

chanwit · 2022-05-26T11:31:02Z

You're welcome @caspervk. Please let me know if the problem still persists.

greenu · 2023-06-06T12:39:51Z

We still observing this issue in v0.14.3. Possibly the same as in #637 but with outputs in this case.

It goes there:
https://github.com/weaveworks/tf-controller/blob/0a8ca9f03e3fca095c5a16c0c38265c64e77112a/runner/server_outputs.go#L25

chanwit · 2023-06-06T12:42:39Z

Thank you. I'll prioritize the fix!

chanwit added kind/bug Something isn't working area/security labels May 24, 2022

chanwit mentioned this issue May 24, 2022

fix sensitive logging in runner #240

Merged

chanwit closed this as completed in #240 May 25, 2022

Smana mentioned this issue Jun 27, 2023

Sensitive values are displayed in plain text from generated.auto.tfvars.json #712

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sensitive outputs logged in runner #239

Sensitive outputs logged in runner #239

caspervk commented May 24, 2022

chanwit commented May 24, 2022

caspervk commented May 26, 2022

chanwit commented May 26, 2022

greenu commented Jun 6, 2023

chanwit commented Jun 6, 2023

Sensitive outputs logged in runner #239

Sensitive outputs logged in runner #239

Comments

caspervk commented May 24, 2022

chanwit commented May 24, 2022

caspervk commented May 26, 2022

chanwit commented May 26, 2022

greenu commented Jun 6, 2023

chanwit commented Jun 6, 2023