Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Lambda Function Sensitive Environment Variables #11595

Closed
FrediWeber opened this issue Jan 14, 2020 · 3 comments
Closed

AWS Lambda Function Sensitive Environment Variables #11595

FrediWeber opened this issue Jan 14, 2020 · 3 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/lambda Issues and PRs that pertain to the lambda service.

Comments

@FrediWeber
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Sensitive information is sometimes provided as an environment variable to an AWS Lambda function. When we provide the secret as an environment variable with Terraform, the plan and apply step will output these values as plain text.
We suggest that a possibility is added, to specify sensitive environment variables which will not be printed out by Terraform. We futher suggest to use the existing "sensitive" function from Terraform to accomplish this goal.

New or Affected Resource(s)

  • aws_lambda_function

Potential Terraform Configuration

With backward compatibility

resource "aws_lambda_function" "test_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "lambda_function_name"
  role          = "${aws_iam_role.iam_for_lambda.arn}"
  handler       = "exports.test"
  runtime = "nodejs8.10"

  environment {
    sensitive_variables = {
      password = "SECRET"
    }
    variables = {
      foo = "bar"
    }
  }
}

Without backward compatibility

resource "aws_lambda_function" "test_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "lambda_function_name"
  role          = "${aws_iam_role.iam_for_lambda.arn}"
  handler       = "exports.test"
  runtime = "nodejs8.10"

  environment {
    variables = [
      {
        key = "foo"
        value = "bar"
        sensitive = false
      },
      {
        key = "password"
        value = "SECRET"
        sensitive = true
      }
    ]
  }
}
@FrediWeber FrediWeber added the enhancement Requests to existing resources that expand the functionality or scope. label Jan 14, 2020
@ghost ghost added the service/lambda Issues and PRs that pertain to the lambda service. label Jan 14, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jan 14, 2020
@FrediWeber FrediWeber mentioned this issue Jan 15, 2020
Closed
FrediWeber added a commit to FrediWeber/terraform-provider-aws that referenced this issue Jan 20, 2020
@FrediWeber
Resolves hashicorp#11595 - Sensitive environment variables in AWS Lambda
62dba8e 
Declare environment variables in AWS Lambda as sensitive so they
will not be printed by terraform plan and apply.
@apparentlymart apparentlymart mentioned this issue Jan 25, 2020
Closed
@FrediWeber FrediWeber mentioned this issue Jan 27, 2020
Closed
@gdavison gdavison removed the needs-triage Waiting for first response or review from a maintainer. label Sep 1, 2020
@GrantBirki
Copy link

I just stumbled across this thread. It appears a very solid work around is current available in later versions of Terraform. You can see the merged pull request here where this is now supported 😃

You can do something link so to hide the output of a env var which you pass into your Lambda function:

variable "SOME_VAR_HERE" {
  ...
  sensitive=true
}

Hope this helps!

@bflad bflad mentioned this issue Apr 9, 2021
Open
@zhelding
Copy link
Contributor

zhelding commented Sep 9, 2021

As I discussed in my response to PR #11614, the use case discussed here is now covered by the sensitive function introduced by Terraform v0.15.

(https://www.terraform.io/docs/language/functions/sensitive.html)

@zhelding zhelding closed this as completed Sep 9, 2021
@github-actions
Copy link

github-actions bot commented Jun 9, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/lambda Issues and PRs that pertain to the lambda service.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolves #11595 - Sensitive environment variables in AWS Lambda FrediWeber/terraform-provider-aws
4 participants
@gdavison @FrediWeber @zhelding @GrantBirki