Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to mark data as NOT Sensitive. #65

Open
pem-timemsystem opened this issue Apr 20, 2021 · 5 comments
Open

Option to mark data as NOT Sensitive. #65

pem-timemsystem opened this issue Apr 20, 2021 · 5 comments

Comments

@pem-timemsystem
Copy link

I am struggling with adding the
Username and Password of RDS AWS resource in sops encrypted file.

I am Using https://registry.terraform.io/modules/terraform-aws-modules/rds/aws/latest RDS module for creating my Postgres DB's
But because the way the modules are constructed they attempt to output the Username.
And because the username is marked as Sensitive from the decryption module terraform plan crashes.

❯ terraform plan
╷
│ Error: Output refers to sensitive values
│
│   on .terraform/modules/master/modules/db_instance/outputs.tf line 76:
│   76: output "this_db_instance_username" {
│
│ Expressions used in outputs can only refer to sensitive values if the sensitive attribute is true.

I know this error is not related to your module at first glance.
But the error occurs because you tag each value as sensitive.

If we get a way to have control over that i would be super grateful.

In my case my sub modules control what is sensitive or not.
So i would prefer them to do the control.

/Peter
@marekaf
Copy link

marekaf commented Jun 29, 2021

I have similar issue

        dynamic "env" {

          for_each = var.env_vars

          content {
            name  = env.key
            value = env.value
          }
        }

throws an error with terraform plan

│ Error: Invalid dynamic for_each value
│
│   on ../main.tf line 242, in resource "google_cloud_run_service" "some_app":
│  242:           for_each = var.env_vars
│     ├────────────────
│     │ var.env_vars has a sensitive value
│
│ Cannot use a map of string value in for_each. An iterable collection is required.

The map keys are not sensitive but I cannot iterate over them because the values are marked as sensitive. I don't think there is any workaround for this. Would you mind removing the sensitive flag from the output map? I can submit a PR.

Thanks!

@tobwuen
Copy link

tobwuen commented Jul 5, 2021

The Terraform Function nonsensitive() does exactly what you want, mark the input as non-sensitive.

        dynamic "env" {

          for_each = nonsensitive(var.env_vars)

          content {
            name  = env.key
            value = env.value
          }
        }

@marekaf
Copy link

marekaf commented Jul 6, 2021

@tobwuen it works! <3 thanks a lot! I was looking for such a function and couldn't find it.

@tinomen
Copy link

tinomen commented Aug 24, 2021
edited

The only concern here is if this is used in a for_each to fill a parameter store then the values will be saved to your state file as non-sensitive (clear text). If you are saving your state file to a repo then don't use this method.

@irl
Copy link

irl commented Sep 16, 2021

Being able to add a sensitive = true/false in the provider block would be really helpful here, I'm going to have to add hundreds of nonsensitives() today to work around this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tinomen @irl @marekaf @tobwuen @pem-timemsystem