Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide CloudFormation template sensitive parameters #15771

Closed
ghost opened this issue Oct 21, 2020 · 3 comments
Closed

Hide CloudFormation template sensitive parameters #15771

ghost opened this issue Oct 21, 2020 · 3 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@ghost
Copy link

ghost commented Oct 21, 2020

This issue was originally opened by @BartekChojnacki as hashicorp/terraform#26288. It was migrated here as a result of the provider split. The original body of the issue is below.

Hello,

When I want to run cloudformation stack from Terraform and this stack has sensitive parameters, which are set up in cloudformation template as ( SecretString: Type: 'String' NoEcho: true ) there are no possibility to make sensitive section parameters = {} / parameter_overrides = { } and all sensitive parameters are visible in terraform plan.

Current Terraform Version

Terraform v0.13.0
+ provider registry.terraform.io/-/aws v3.7.0
+ provider registry.terraform.io/-/template v2.1.2
+ provider registry.terraform.io/hashicorp/aws v3.7.0
+ provider registry.terraform.io/hashicorp/template v2.1.2

Use-cases

# module.iam_module.aws_cloudformation_stack_set_instance.smsminstance["aws-network-non-prod"] will be updated in-place ~ resource "aws_cloudformation_stack_set_instance" "examample_instance" { account_id = "example_account" id = "tfe-stackset-sm-deployer,016091306659,eu-west-1" ~ parameter_overrides = { ~ "SecretString" = "****" -> jsonencode( { + SECRET_KEY = "SECRET_KEY_VALUE"

Proposal

There should be an option to make parameters {} section for resource "aws_cloudformation_stack_set" and parameter_overrides = {} for resource "aws_cloudformation_stack_set_instance" sensitive, and hide it on the plan if it is needed. Especially when the input parameters of the cloudformation template are sensitive.
@ghost ghost mentioned this issue Oct 21, 2020
Closed
@ghost ghost added the service/cloudformation Issues and PRs that pertain to the cloudformation service. label Oct 21, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 21, 2020
@anGie44 anGie44 added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 21, 2020
@anGie44
Copy link
Contributor

anGie44 commented Oct 21, 2020

Hi @BartekChojnacki, thank you for creating this issue! Dropping a note here to reference an implementation consideration for marking a TypeMap and it's attributes as Sensitive: #15157 (comment)

@bflad bflad mentioned this issue Apr 9, 2021
Open
@github-actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Oct 12, 2022
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 12, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anGie44