Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource "azurerm_kubernetes_cluster" is leaking sensitive data #5730

Closed
subesokun opened this issue Feb 13, 2020 · 2 comments
Closed

Resource "azurerm_kubernetes_cluster" is leaking sensitive data #5730

subesokun opened this issue Feb 13, 2020 · 2 comments
Labels
bug upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)

Comments

@subesokun
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: 0.12.20
AzureRM: 1.41.0

Affected Resource(s)

  • azurerm_kubernetes_cluster

Debug Output

~ resource "azurerm_kubernetes_cluster" "cluster" {
        ...redacted...
        kube_admin_config               = []
        kube_config                     = [
            {
                client_certificate     = "redacted"
                client_key             = "redacted"
                cluster_ca_certificate = "redacted"
                host                   = "redacted"
                password               = "redacted"
                username               = "redacted"
            },
        ]
        kube_config_raw                 = (sensitive value)
        kubernetes_version              = "1.15.7"
        ...redacted...
        service_principal {
            client_id     = "redacted"
            client_secret = (sensitive value)
        }
    }

Expected Behavior

In case of in-place updates, sensitive data like the kubecfg.client_key gets redacted and is not visible in the logs.

Actual Behavior

In case of in-place updates, sensitive data like the kubecfg.client_key gets printed in clear text into the logs.

Steps to Reproduce

Change a property that causes an in-place update of the AKS cluster and run a terraform plan
@tombuildsstuff tombuildsstuff added bug upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) labels Feb 13, 2020
@tombuildsstuff
Copy link
Contributor

👋

Thanks for opening this issue.

This issue needs to be fixed in the Terraform Plugin SDK, as such rather than tracking this issue in multiple places I'm going to close this issue in favour of the upstream issue. Once that's been fixed we'll update the version of the Plugin SDK being used and this should get resolved - as such please subscribe to the upstream issue for updates.

Thanks!

@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tombuildsstuff @subesokun