Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DXE-3949 Sensitive data disclosed when running terraform plan #556

Open
rensvanleeuwen opened this issue May 29, 2024 · 1 comment
Open

DXE-3949 Sensitive data disclosed when running terraform plan #556

rensvanleeuwen opened this issue May 29, 2024 · 1 comment
Labels
delivery enhancement under-investigation

Comments

@rensvanleeuwen
Copy link

rensvanleeuwen commented May 29, 2024
edited
Loading

There does not seem to be a way to prevent disclosing secrets from output of running terraform plan.

Disclaimer: I've worked with Terraform for a day, so I'm probably using some wrong terminology here and there.

I am in the process of capturing my property configuration using Terraform. Many of the properties make use of secrets, such as API keys. These are configured as PMUSER_API_KEY variables in the property.

As a store for the secrets, I'm using AWS Secrets Manager. I made a module in the project that retrieves the secrets and then uses it to supply the value in the akamai_property_rules_builder. The module that retrieves the secrets exposes them as follows:

output "secrets_map" {
  value     = local.secrets_map
  sensitive = true
}

The property rules are defined as follows:

data "akamai_property_rules_builder" "my_property" {
  rules_v2024_02_12 {
    name      = "default"
    is_secure = true
    comments  = "The Default Rule template contains all the necessary and recommended behaviors. Rules are evaluated from top to bottom and the last matching rule wins."
    variable {
      name        = "PMUSER_API_KEY"
      description = ""
      value       = module.secrets.secrets_map["my_secret_value"]
      hidden      = false
      sensitive   = true
    }
  }
  # All the other stuff here ..
}

When I run a terraform plan, it shows the secret in plain text in the console. After reading this and this, it kinda makes sense where this goes wrong.

I see that the notion of sensitive = true is lost, and it then is just a string.

Given that working with secrets for property configuration using Terraform look like a common practice, I was wondering if I'm using the right way to do what I want. And if not: could this be considered a sensible feature request?

Terraform and Akamai Terraform Provider Versions

❯ terraform -v
Terraform v1.8.4
on darwin_arm64
+ provider registry.terraform.io/akamai/akamai v6.1.0
+ provider registry.terraform.io/hashicorp/aws v5.51.1

Affected Resource(s)

  • Property rules
  • Most likely a lot of other resource types managed by the Akamai provider as well?

Expected Behavior

When running a terraform plan, data is marked sensitive = true should not be visible in the output of the plan.

Actual Behavior

Secrets are disclosed in the output.
@lsadlon
Copy link

lsadlon commented May 31, 2024

Hi @rensvanleeuwen

Thanks for reporting this issue. We will go back to you after investigation.

BR,
Lukasz

@lsadlon lsadlon changed the title Sensitive data disclosed when running terraform plan DXE-3949 Sensitive data disclosed when running terraform plan May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
delivery enhancement under-investigation
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rensvanleeuwen @aka-mark @lsadlon