You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There does not seem to be a way to prevent disclosing secrets from output of running terraform plan.
Disclaimer: I've worked with Terraform for a day, so I'm probably using some wrong terminology here and there.
I am in the process of capturing my property configuration using Terraform. Many of the properties make use of secrets, such as API keys. These are configured as PMUSER_API_KEY variables in the property.
As a store for the secrets, I'm using AWS Secrets Manager. I made a module in the project that retrieves the secrets and then uses it to supply the value in the akamai_property_rules_builder. The module that retrieves the secrets exposes them as follows:
output "secrets_map" {
value = local.secrets_map
sensitive = true
}
The property rules are defined as follows:
data "akamai_property_rules_builder" "my_property" {
rules_v2024_02_12 {
name = "default"
is_secure = true
comments = "The Default Rule template contains all the necessary and recommended behaviors. Rules are evaluated from top to bottom and the last matching rule wins."
variable {
name = "PMUSER_API_KEY"
description = ""
value = module.secrets.secrets_map["my_secret_value"]
hidden = false
sensitive = true
}
}
# All the other stuff here ..
}
When I run a terraform plan, it shows the secret in plain text in the console. After reading this and this, it kinda makes sense where this goes wrong.
I see that the notion of sensitive = true is lost, and it then is just a string.
Given that working with secrets for property configuration using Terraform look like a common practice, I was wondering if I'm using the right way to do what I want. And if not: could this be considered a sensible feature request?
Thanks for reporting this issue. We will go back to you after investigation.
BR,
Lukasz
lsadlon
changed the title
Sensitive data disclosed when running terraform plan
DXE-3949 Sensitive data disclosed when running terraform plan
May 31, 2024
There does not seem to be a way to prevent disclosing secrets from output of running
terraform plan
.Disclaimer: I've worked with Terraform for a day, so I'm probably using some wrong terminology here and there.
I am in the process of capturing my property configuration using Terraform. Many of the properties make use of secrets, such as API keys. These are configured as
PMUSER_API_KEY
variables in the property.As a store for the secrets, I'm using AWS Secrets Manager. I made a module in the project that retrieves the secrets and then uses it to supply the value in the
akamai_property_rules_builder
. The module that retrieves the secrets exposes them as follows:The property rules are defined as follows:
When I run a
terraform plan
, it shows the secret in plain text in the console. After reading this and this, it kinda makes sense where this goes wrong.I see that the notion of
sensitive = true
is lost, and it then is just a string.Given that working with secrets for property configuration using Terraform look like a common practice, I was wondering if I'm using the right way to do what I want. And if not: could this be considered a sensible feature request?
Terraform and Akamai Terraform Provider Versions
Affected Resource(s)
Expected Behavior
When running a
terraform plan
, data is markedsensitive = true
should not be visible in the output of the plan.Actual Behavior
Secrets are disclosed in the output.
The text was updated successfully, but these errors were encountered: