Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolves #11595 - Sensitive environment variables in AWS Lambda #11614

Closed

Conversation

FrediWeber
Copy link

@FrediWeber FrediWeber commented Jan 15, 2020

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #11595

Release note for CHANGELOG:

Environment variables in AWS Lambda functions are used to provide secrets. Therefore we should mark the value as sensitive so it is not printed to the output of terraform plan and apply.
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html

aws_lambda_function does no longer print environment variables to the output of Terraform

Output from acceptance testing:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSLambdaFunction_envVariables'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSLambdaFunction_envVariables -timeout 120m
=== RUN   TestAccAWSLambdaFunction_envVariables
=== PAUSE TestAccAWSLambdaFunction_envVariables
=== CONT  TestAccAWSLambdaFunction_envVariables

--- PASS: TestAccAWSLambdaFunction_envVariables (276.20s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       276.236s

@FrediWeber FrediWeber requested a review from a team January 15, 2020 17:49
@ghost ghost added needs-triage Waiting for first response or review from a maintainer. size/L Managed by automation to categorize the size of a PR. service/lambda Issues and PRs that pertain to the lambda service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Jan 15, 2020
Declare environment variables in AWS Lambda as sensitive so they
will not be printed by terraform plan and apply.
@FrediWeber FrediWeber force-pushed the f-lambda-secret-variables branch from 4705616 to 62dba8e Compare January 20, 2020 18:15
@ghost ghost added size/XS Managed by automation to categorize the size of a PR. and removed size/L Managed by automation to categorize the size of a PR. labels Jan 20, 2020
@FrediWeber FrediWeber changed the title [WIP] Resolves #11595 - Sensitive environment variables in AWS Lambda Resolves #11595 - Sensitive environment variables in AWS Lambda Jan 20, 2020
@kenske
Copy link

kenske commented Mar 25, 2020

Should all values be treated as sensitive? In #11595 it was suggested to use a different parameter just for sensitive values, allowing non-sensitive values to still be visible in the output.

@osulli
Copy link

osulli commented Jun 16, 2020

@bflad - What are your thoughts on the approach in this PR?
@FrediWeber - How time-consuming would it be for you to add the sensitive toggle as opposed to making all environment.variables sensitive?

I find it near impossible to justify using Lambda with Vault if only to have the secrets exposed in Plan & State.
It would be really nice to bolster the current resources available in Terraform so that they can be used in production without hacks or large security tech-debts.

@FrediWeber
Copy link
Author

I think it would be against the design principles of Terraform to add a sensitive parameter. We should only add parameters that are reflected in the APIs of the service provider (in this case AWS) and there is no such parameter there.
As the docs of AWS Lambda explicitly state, these environment variables can be used to store secrets so imo we should definitely make them sensitive.

@osulli I don‘t understand what all of this has directly to do with vault. As far as I know, the sensitive flag only changes the output behaviour of Terraform.

Base automatically changed from master to main January 23, 2021 00:56
@breathingdust breathingdust requested a review from a team as a code owner January 23, 2021 00:56
@dvasiljevic-humanity
Copy link

Any reason why this one is not merged/reviewed? There is no way to pass sensitive data to lambda (accept manually as input variable).. but this is especially useful if this sensitive data is dynamically generated and passed from different terraform state file. Is there any workaround?

@zhelding zhelding self-assigned this Sep 7, 2021
@zhelding
Copy link
Contributor

zhelding commented Sep 9, 2021

Hi @FrediWeber! Thank you for your pull request and for your patience in waiting for its review.

I think there are use cases for both sensitive and nonsensitive AWS Lambda environmental variables, e.g. database secrets and development environment configuration respectively.

Additionally: in the time since this PR was opened, Terraform v0.15 has introduced the sensitive function, which causes Terraform to treat any inputted value as sensitive. (https://www.terraform.io/docs/language/functions/sensitive.html)

Given this, I don't think it makes sense to force all Lambda environmental variables to be sensitive; instead, the user can designate values as sensitive as they wish using either the sensitive function or via the standard method for defining sensitive input variables.

As such, I'm going to go ahead and close this PR without merging. I hope this helps anyone looking for a solution / workaround!

@zhelding zhelding closed this Sep 9, 2021
@breathingdust breathingdust removed the needs-triage Waiting for first response or review from a maintainer. label Sep 17, 2021
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
service/lambda Issues and PRs that pertain to the lambda service. size/XS Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

AWS Lambda Function Sensitive Environment Variables
6 participants