Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.13.1] Terraform displaying sensitive values in the logs #15157

Closed
ghost opened this issue Sep 15, 2020 · 5 comments · Fixed by #15169
Closed

[0.13.1] Terraform displaying sensitive values in the logs #15157

ghost opened this issue Sep 15, 2020 · 5 comments · Fixed by #15169
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service. upstream-terraform Addresses functionality related to the Terraform core binary.
Milestone
v3.7.0

Comments

@ghost
Copy link

ghost commented Sep 15, 2020

This issue was originally opened by @zopanix as hashicorp/terraform#26185. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.13.1

Terraform Configuration Files

data "aws_kms_secrets" "this" {
  secret {
    name    = "35-local-properties_uat"
    payload = file("./templates/uat/hybris/35-local.properties")
  }
}

Debug Output

N/A

Crash Output

N/A

Expected Behavior

Terraform does not display the plaintext field of those data sources in the plan.

Actual Behavior

In terraform 0.12.x behavior was that the plain text values of the datasources (which are marked as sensitive in the provider code https://github.com/terraform-providers/terraform-provider-aws/blob/bc480ffb51e2056dd2eaec0dc45af172adc50065/aws/data_source_aws_kms_secrets.go#L50) would be redacted from the terraform logs outputs. Since migrating to terraform 0.13.1, they are shown in plain text.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_kms_secrets.this will be read during apply
  # (config refers to values not yet known)
 <= data "aws_kms_secrets" "this"  {
      ~ id        = "2020-09-09 15:25:48.648201625 +0000 UTC" -> "2020-09-09 15:27:13.420112712 +0000 UTC"
        plaintext = {
            "35-local-properties_perf" = <<~EOT
< SENSITIVE CONTENT HERE >
            EOT

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

  1. terraform init
  2. terraform apply

Additional Context

I tried changing provider version and upgrading from 2.34.0 to 2.57.0 for the AWS provider. I will probably try out the latest version as well soon and post results in the comments

References

I didn't see any issue referencing this. My apologies if it's a duplicate.
@ghost ghost added the service/kms Issues and PRs that pertain to the kms service. label Sep 15, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 15, 2020
@alisdair
Copy link

This was reported in core, and I was able to reproduce it. After some debugging, I think the issue is here: https://github.com/terraform-providers/terraform-provider-aws/blob/d7835fba1bcaed6d983830552595b9b57a59eaeb/aws/data_source_aws_kms_secrets.go#L45-L52

The Sensitive attribute in the map's element type does not make it through the plugin protocol. I think the only way to make this value sensitive is to mark the entire attribute as Sensitive:

diff --git a/aws/data_source_aws_kms_secrets.go b/aws/data_source_aws_kms_secrets.go
index ef39b763e..15505b4ff 100644
--- a/aws/data_source_aws_kms_secrets.go
+++ b/aws/data_source_aws_kms_secrets.go
@@ -43,12 +43,10 @@ func dataSourceAwsKmsSecrets() *schema.Resource {
                                },
                        },
                        "plaintext": {
-                               Type:     schema.TypeMap,
-                               Computed: true,
-                               Elem: &schema.Schema{
-                                       Type:      schema.TypeString,
-                                       Sensitive: true,
-                               },
+                               Type:      schema.TypeMap,
+                               Computed:  true,
+                               Sensitive: true,
+                               Elem:      &schema.Schema{Type: schema.TypeString},
                        },
                },
        }

The above patch fixes the issue for me.

@alisdair alisdair mentioned this issue Sep 15, 2020
Closed
@ewbankkit
Copy link
Contributor

Similar:

@anGie44 anGie44 added bug Addresses a defect in current functionality. upstream-terraform Addresses functionality related to the Terraform core binary. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 15, 2020
@zopanix zopanix mentioned this issue Sep 16, 2020
Merged
@anGie44 anGie44 added this to the v3.7.0 milestone Sep 16, 2020
@anGie44
Copy link
Contributor

anGie44 commented Sep 16, 2020

The fix has been merged and will release with v3.7.0 of the Terraform AWS Provider, likely out this Thursday.

@ghost
Copy link
Author

ghost commented Sep 17, 2020

This has been released in version 3.7.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link
Author

ghost commented Oct 16, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service. upstream-terraform Addresses functionality related to the Terraform core binary.
Projects
None yet
Milestone
v3.7.0
Development

Successfully merging a pull request may close this issue.

Update data_source_aws_kms_secrets.go
3 participants
@alisdair @ewbankkit @anGie44