-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolves #11595 - Sensitive environment variables in AWS Lambda #11614
Conversation
Declare environment variables in AWS Lambda as sensitive so they will not be printed by terraform plan and apply.
4705616
to
62dba8e
Compare
Should all values be treated as sensitive? In #11595 it was suggested to use a different parameter just for sensitive values, allowing non-sensitive values to still be visible in the output. |
@bflad - What are your thoughts on the approach in this PR? I find it near impossible to justify using Lambda with Vault if only to have the secrets exposed in Plan & State. |
I think it would be against the design principles of Terraform to add a @osulli I don‘t understand what all of this has directly to do with vault. As far as I know, the sensitive flag only changes the output behaviour of Terraform. |
Any reason why this one is not merged/reviewed? There is no way to pass sensitive data to lambda (accept manually as input variable).. but this is especially useful if this sensitive data is dynamically generated and passed from different terraform state file. Is there any workaround? |
Hi @FrediWeber! Thank you for your pull request and for your patience in waiting for its review. I think there are use cases for both sensitive and nonsensitive AWS Lambda environmental variables, e.g. database secrets and development environment configuration respectively. Additionally: in the time since this PR was opened, Terraform Given this, I don't think it makes sense to force all Lambda environmental variables to be sensitive; instead, the user can designate values as sensitive as they wish using either the As such, I'm going to go ahead and close this PR without merging. I hope this helps anyone looking for a solution / workaround! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Relates OR Closes #11595
Release note for CHANGELOG:
Environment variables in AWS Lambda functions are used to provide secrets. Therefore we should mark the value as sensitive so it is not printed to the output of terraform plan and apply.
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
Output from acceptance testing: