-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sensitive properties of nested blocks are shown during a plan in v12.6 #201
Comments
0.12.9 has this problem too. |
I've transferred this to the plugin SDK repository because it appears to be caused by how the SDK is presenting this schema to Terraform Core. Because this schema is marked as Within the provider protocol's schema model as currently defined, the best behavior we could support here is for the SDK to recursively check inside any I believe that currently the nested Alternatively, the SDK could elect to present this construct to Terraform Core as being a block. Using a block to represent something that is fully computed has some implications around how the SDK must represent unknown values (it must be a known list of known objects with unknown values inside) but I assume the SDK must already be handling those edges in order to support If we take that second path, I think we should check whether it causes any of the "but we are tolerating it because the provider is using the legacy SDK"-class warnings in |
Thanks for looking into this @apparentlymart, I personally don't think marking the entire block as sensitive is a great UX from the users POV and would put my weight behind the 2nd option. |
This issue is affecting us deploying app_serivce onto azure because the site_credential.password property is displayed in plain text into terraform plans. This issue is causing us to leak app service deployment credentials into our deployment logs (we use Octopus Deploy) which are not considered safe storage for secrets by our infosec team. I know Octopus Deploy had to publish a CVE when they had similar bug last year. This is an important security issue, please fix ASAP. |
As mentioned above, this is ultimately a limitation of Terraform core's data model. Only certain types of data actually track a The core data model has two fundamental concepts: blocks and attributes. Blocks can hold blocks and other attributes. Attributes are typed. The type of an attribute though can be an "object" or "map" that has additional nested keys. Only attributes track this sensitive flag, blocks and fields on objects do not. The SDK's legacy model does not surface this nuance, nor does it make it easy for the developer to influence the translation to core's model directly. So even though you can set All that being said, |
Linking this to a tracking issue for more directly surfacing Terraform core concepts in the SDK: #321 |
Any progress on this issue? If we for example change any attribute on our Kubernetes cluster (in our case via azurerm) then |
If someone is interested in workaround for this, I've implemented it in flexkube/libflexkube#66. As my Terraform state structure is rather complicated there, for simpler cases, I'm sure it can be simplified, but basically what I've done is, I store all secret values in separated computed field, which has Then in user configuration, I use different method when I'm flattening Go structure into Terraform state compatible struct: https://github.com/flexkube/libflexkube/blob/master/cmd/terraform-provider-flexkube/flexkube/ssh.go#L16. Finally, when calculating the diff, you need to either inject the secrets into user configuration or just always copy user configuration into the "globally" sensitive field. While definitely a workaround, it allows right now to provide user nice UX without compromising the security. It also works in all plan, apply and destroy scenarios. |
Any updates here? This is a big issue since secrets are leaking. |
Per my comment above, this is something that has to happen on Terraform core first, you can track progress on issues like transitive sensitivity on the upstream issues like this one: hashicorp/terraform#16114 |
@paultyng - fair enough, but seeing as this is a fairly severe security issue I think we need a more definite response than "it will be fixed in core at some point". |
The definitive response is treat it all as sensitive. New features may alleviate the concerns, but currently no amount of sensitive flagging will prevent downstream interpolation or variable usage that could expose secrets in your logs. |
I think there should be a high level design on this. Not that the provider or plugin-sdk that decides or provides options for user on certain attributes to be sensitive. But a common way for user to hide any parts on planning/applying/outputs. This is not just about security. But also the long lines of cert/key breaks some stupid CI/CD tools. |
Is there any update on this. Keep seeing lots of threads related. But no fix I could see. Can anyone please share the solution. |
Reference: hashicorp/terraform-plugin-framework#214 Reference: hashicorp/terraform-plugin-sdk#819 Reference: hashicorp/terraform-plugin-sdk#201 As part of investigating some differences between sdk/v2 and framework, the individual sensitivity configuration offered by nested attributes in protocol version 6 is important to call out explicitly.
#76) Reference: hashicorp/terraform-plugin-framework#214 Reference: hashicorp/terraform-plugin-sdk#819 Reference: hashicorp/terraform-plugin-sdk#201 As part of investigating some differences between sdk/v2 and framework, the individual sensitivity configuration offered by nested attributes in protocol version 6 is important to call out explicitly.
I can confirm this issue still exists with Terraform 1.3.4 and hashicorp/azurerm 2.99 |
Has anyone got a good suggestion for working around/with the issue? Do you just accept that the password is exposed in the logs, and therefore protect the logs extra hard? |
If you're using Azure DevOps Pipelines and you make sure the secret is set as a variable (it doesn't matter what it's called) in a variable group used by the pipeline then Azure DevOps will **** out the value in the logs. |
The problem with printing nested sensitive values was (is still?) present also when using data sources hashicorp/terraform-provider-azurerm#4105 (comment). There the sensitive value is not known in advance and won't be redacted by CI providers. |
@austinvalle Sorry you are the last person I have seen from the Hashicorp DevEx team to commit to this repository today. Just want to make sure this issue is not lost and remains visible because it remains an extreme security concern for logs and it has been over 3 years. Are there any updates from a team at Hashicorp that may plan to work on this? It seems some work started on this but was never mainlined. #819 |
Hi folks 👋 This issue appears to have collected a few threads around value sensitivity. Some are related to the terraform-plugin-sdk Go module that providers developers can use to write their providers and some are related to broader feature requests that would affect provider SDKs, Terraform core, and the protocol between them. The original description for this issue was that declaring a terraform-plugin-sdk based schema, its abstractions allow creating a technically invalid schema that would not mark nested attributes as sensitive or raising any errors for provider developers about the errant situation. The reasons why this is not valid was described previously: #201 (comment) In this example, the top level &schema.Schema{
// ... other fields ...
Sensitive: true,
Elem: &schema.Resource{ // This typically designates a block
Schema: map[string]*schema.Schema{
"nested_attr": {
// ... other fields ...
// no Sensitive: true defined
},
},
}
} The current fix for provider developers in this case is to instead mark all nested attributes individually as &schema.Schema{
// ... other fields ...
Sensitive: true,
Elem: &schema.Resource{ // This typically designates a block
Schema: map[string]*schema.Schema{
"nested_attr": {
// ... other fields ...
Sensitive: true, // now enabled
},
},
}
} The changes proposed in #819 is one possible solution where terraform-plugin-sdk would try to approximate the developers likely intention, rather than strictly following what is a valid schema. That change is however missing any testing to verify it would not cause regressions in existing providers. Incorrectly marking attributes as sensitive can cause breaking changes in practitioner configurations on Terraform 0.14+, where outputs must be marked as sensitive when a sensitive value is received or an error is raised. Any which way though, adjusting the currently ignored behavior to become supported without an opt-in would likely require a major version release of this Go module to signal the practitioner-affecting change. There are no future plans for another major release of this Go module at this time. Provider developers also have the option of migrating to terraform-plugin-framework, which correctly surfaces the nuances between attributes, blocks, and the behavior differences between the two concepts. One additional benefit of building on terraform-plugin-framework is that blocks can be migrated to nested attributes which does allow sensitivity to be declared directly on the attribute, singularly declared on nested attributes, and the practitioner benefit of using expressions instead of dynamic blocks (if being configured). In terms of provider logging showing sensitive values, there are two parts to this. If the value is known to be sensitive and the provider is using terraform-plugin-log for logging, there are various filtering capabilities available. Other logging libraries will require their own solution to be implemented in the provider code, but those are outside the scope of what the maintainers here can have knowledge or assist. If the sensitive value is coming from another resource or explicitly being marked as explicit in the Terraform configuration (e.g. via the |
This an extension of:
properties marked sensitive are not being masked.
Terraform Version
Terraform Configuration Files
Debug Output
Crash Output
Expected Behavior
Sensitive values should be masked masked.
Actual Behavior
On a delete with a plan when there is nested sub objects with only select properties marked as sensitive some of the values are shown in plan.
The client_key and password fields in the kube_admin_config block are shown as literal strings instead of being masked. We're running terraform version 0.12.6, and you can see the provider versions in the plan output below.
Steps to Reproduce
Additional Context
References
The text was updated successfully, but these errors were encountered: