Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: data ssm_parameter.value should not be sensitive #31590

Closed
elduds opened this issue May 26, 2023 · 7 comments
Closed

[Bug]: data ssm_parameter.value should not be sensitive #31590

elduds opened this issue May 26, 2023 · 7 comments
Labels
bug Addresses a defect in current functionality. service/ssm Issues and PRs that pertain to the ssm service. upstream-terraform Addresses functionality related to the Terraform core binary.

Comments

@elduds
Copy link

elduds commented May 26, 2023
edited by justinretzolk
Loading

Terraform Core Version

all

AWS Provider Version

all

Affected Resource(s)

aws_ssm_parameter

Expected Behavior

the value attribute of https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter should not be marked as sensitive if the type of the parameter is String.

If the type is set to SecureString, assume the value to be sensitive.

Actual Behavior

This value is always marked as sensitive, regardless of type.

This makes planning and debugging far more difficult than it should be for no corresponding value / increase in security.

Relevant Error/Panic Output Snippet

❯ terraform plan
data.aws_ssm_parameter.not_sensitive: Reading...
data.aws_ssm_parameter.not_sensitive: Read complete after 1s [id=/parameter/that/is/not/sensitive]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Output refers to sensitive values
│ 
│   on tf.tf line 5:
│    5: output "all" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform
│ requires that any root module output containing sensitive data be explicitly marked as sensitive, to confirm your
│ intent.
│ 
│ If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
│     sensitive = true

Terraform Configuration Files

data "aws_ssm_parameter" "not_sensitive" {
  name = "/parameter/that/is/not/sensitive"
}

output "all" {
  value       = data.aws_ssm_parameter.not_sensitive.value
  sensitive   = false
  description = "My super-not-secret data"
}

Steps to Reproduce

attempt to plan the above tf code

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter

Would you like to implement a fix?

None
@elduds elduds added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels May 26, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/ssm Issues and PRs that pertain to the ssm service. label May 26, 2023
@ShathishWarmaS
Copy link

output "all" {
value = data.aws_ssm_parameter.not_sensitive.value
sensitive = true
}

sensitive = true to the output definition, you confirm that the output contains sensitive data and that you intend to export it. This prevents accidental exposure of sensitive information in Terraform outputs.

@elduds
Copy link
Author

elduds commented May 26, 2023
edited
Loading

sensitive = true to the output definition, you confirm that the output contains sensitive data and that you intend to export it. This prevents accidental exposure of sensitive information in Terraform outputs.

But the output does not contain sensitive data, nor is it ever likely to contain sensitive data. That's what SecureString type is for.

@ShathishWarmaS
Copy link

ShathishWarmaS commented May 26, 2023
edited
Loading

output "all" {
value = data.aws_ssm_parameter.not_sensitive.value
ignore_changes = true
}

ignore_changes = true, you inform Terraform to ignore any modifications to the output value during plan and apply operations. This can help bypass the sensitivity check if you are certain that the output doesn't contain sensitive information.

data "aws_ssm_parameter" "not_sensitive" {
name = "/parameter/that/is/not/sensitive"
}

output "all" {
value = data.aws_ssm_parameter.not_sensitive.value
sensitive = false
description = "My super-not-secret data"
ignore_changes = true
}

@justinretzolk
Copy link
Member

Hey @elduds 👋 Thank you for taking the time to raise this! In this case, the sensitivity is defined at the resource schema level. This is something that the plugin SDK does not currently support toggling dynamically based on something like whether the type is a String or SecureString.

Interestingly, I've found a feature request on the plugin SDK repository (hashicorp/terraform-plugin-sdk#736) for this exact thing (so much so that the example is precisely what you're calling out here). On that issue, a workaround is called out using the nonsensitive() function to instruct Terraform to remove the sensitive flag.

Given that this is an upstream limitation, and not a bug within the provider, I'll close this issue for now. If you feel I've done this in error, please do let me know.

@justinretzolk justinretzolk added the upstream-terraform Addresses functionality related to the Terraform core binary. label May 26, 2023
@github-actions github-actions bot removed the needs-triage Waiting for first response or review from a maintainer. label May 26, 2023
@elduds
Copy link
Author

elduds commented May 27, 2023

Awesome, thanks @justinretzolk . I was unaware of nonsensitive() so will definitely give that a go in the meantime -- sounds like it does exactly what I need.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ssm Issues and PRs that pertain to the ssm service. upstream-terraform Addresses functionality related to the Terraform core binary.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elduds @justinretzolk @ShathishWarmaS