-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow defining triggers that are sensitive information #38
Comments
I've been using triggers = {
secret = sha1(var.mysecret)
} |
@jferris That's a usable workaround, thanks for the tip. Still, it would be nice to have a built in way of providing sensitive values, just as we have with https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file |
The need for triggers for destroy also means (for us) that we need to load files into variables. This has the same issue in that we don't want the file content dumping to logs. |
@keiranmraine as exlained earlier by @jferris, for your use-case the hash of the file would be perfectly valid workaround, I'd even argue that in that case it's not even a workaround, hashing files to notice changes is a pretty well established industry practice. |
Hi @reegnz, I should have included more context. Unless I'm misunderstanding the use of We have destroy actions that require variables/files for cleanup actions on services that terraform doesn't interact with natively. Now variables aren't allowed in destroy the use of In these instances we need the actual value, not to know it was different. |
Given that you already start with a file in the first place, couldn't you just set file hash plus file name as a trigger? Then the destroy provisioner can work with the file name directly instead of getting passed the contents. |
I hadn't thought of that for files. Thanks! |
@keiranmraine I modified the ticket description based on your input to include a destroy provisioner, because the destroy provisioning only being able to use 'self' is a really good argument for why hashing is not a complete solution if you need to reference the sensitive value in the destroying of the resource. |
One specific use-case where the hashing solution wouldn't work is in the case where an API key needs to be used to run the create/destroy provisioning, so the API key is sensitive and it needs to be a trigger. On the other hand that use-case has a bunch of other issues with it as well, eg. the key should be an environment variable for the entire process, so destroy isn't tried with an old API key. :) Trying to construct some reasonable use-case that's more life-like. Anyway, will give it a go and prepare a PR for a |
Right now this behavior is blocking our ability to migrate to terraform 0.13 with the error:
Since we use some secrets to fill in the information in our connection{} block, it is by nature sensitive. Putting the values in the triggers allows us to upgrade but then dumps private keys into our diffs :/. What I would like to see happen is something like this:
|
FYI I opened PR #48 to implement this. If anyone is interested, can you please give it a spin and report whether it works for you? Build instructionsYou need Go 1.15 installed to build the provider. It's also possible to use Docker if you don't want to install Go. With Go 1.15 installedgit clone -b sensitive https://github.com/jgiannuzzi/terraform-provider-null
cd terraform-provider-null
make build The provider can then be found in With Docker installedLinuxFirst spin up the Go 1.15 container: docker run --rm -ti -v $PWD:/go/bin -w /root golang:1.15 Then within that container, do the following: git clone -b sensitive https://github.com/jgiannuzzi/terraform-provider-null
cd terraform-provider-null
make build You can then exit the container and the plugin will be in you current working directory. macOSFirst spin up the Go 1.15 container: docker run --rm -ti -v $PWD:/go/bin/darwin_amd64 -w /root golang:1.15 Then within that container, do the following: git clone -b sensitive https://github.com/jgiannuzzi/terraform-provider-null
cd terraform-provider-null
make build GOOS=darwin You can then exit the container and the plugin will be in you current working directory. WindowsFirst spin up the Go 1.15 container from a PowerShell terminal: docker run --rm -ti -v ${pwd}:/go/bin/windows_amd64 -w /root golang:1.15 Then within that container, do the following: git clone -b sensitive https://github.com/jgiannuzzi/terraform-provider-null
cd terraform-provider-null
make build GOOS=windows You can then exit the container and the plugin will be in you current working directory. Install instructionsLinuxmkdir -p ~/.local/share/terraform/plugins/registry.terraform.io/hashicorp/null/3.0.0/darwin_amd64
mv terraform-provider-null ~/.local/share/terraform/plugins/registry.terraform.io/hashicorp/null/3.0.0/darwin_amd64/ macOSmkdir -p "~/Library/Application Support/io.terraform/plugins/registry.terraform.io/hashicorp/null/3.0.0/darwin_amd64"
mv terraform-provider-null "~/Library/Application Support/io.terraform/plugins/registry.terraform.io/hashicorp/null/3.0.0/darwin_amd64/" WindowsNew-Item ${APPDATA}/HashiCorp/Terraform/plugins -ItemType Directory -ea 0
Move-Item terraform-provider-null ${APPDATA}/HashiCorp/Terraform/plugins/ Usage instructionsUpgrade your project to use the custom version of the plugin: terraform init -upgrade |
I'd like to try this, but I wasn't able to get TF to load the provider.
The given instructions seem to assume terraform is installed in $GOPATH (based on the plugins docs), but my terraform binary is installed by brew elsewhere. So I moved the plugin into
Then I tried running a
I'm sure this is a PEBKAC issue, but I'm just not seeing it. My only dev terraform work was in my own provider, and I don't recall if I ever tested it outside of my local dev testing. So I don't have much experience with side-loading a provider. |
Sorry @dekimsey, I should have also explained how to install the plugin 😅 You seem to be using macOS, so you should copy/move it to I'll update my post above with installation instructions for the other operating systems. |
Okay, I just re-read your instructions now that it's been a few hours. I installed it incorrectly, I'll try again on Monday now that I read them correctly :) Thank you @jgiannuzzi! |
Okay, well I was unable to get my live state to try these changes. I gave up. I ended up creating a simple single-resource test from scratch and that did work. shrug And the change is pretty trivial so, I'm sure it'll Just Work ;). Thank you for doing this @jgiannuzzi. I think this was our only blocker for our 0.13 upgrade. |
I'm really happy to see @jgiannuzzi's PR. When you have different people working on different platforms, it's helpful to avoid pathnames in state since they can change between users and platforms. Normally, this is no big deal, but when Let's Encrypt gives you 5 updates per month, you really can't afford to burn renewals because a file path changed. We have destroy actions for kubernetes CRD's that use process substitution instead of files to get around files changing but the destroy actions were putting our kubeconfig files in plaintext. Here's an example destroy whose triggers will benefit:
|
These are functionally identical, but masks the inputs/outputs. Closes hashicorp#38
These are functionally identical, but masks the inputs/outputs. Closes hashicorp#38
Just checking in, did this go anywhere? Seems to have died :/ |
Maybe I'm missing something, but isn't is sufficient to mark the |
@tmatilai Marking variables as sensitive was not a terraform feature when the ticket was opened. It got introduced with 0.14. But yes, it seems to solve the issue. Checking with the following code: variable "mysecret" {
type = string
sensitive = true
}
resource null_resource example {
triggers = {
secret = var.mysecret
}
provisioner "local-exec" {
command = "echo Create"
environment = {
SECRET = self.triggers.secret
}
}
provisioner "local-exec" {
command = "echo Destroy"
environment = {
SECRET = self.triggers.secret
}
}
} The cli output of a plan looks like this: ❯ terraform plan
var.mysecret
Enter a value: supersecret
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# null_resource.example will be created
+ resource "null_resource" "example" {
+ id = (known after apply)
+ triggers = {
+ "secret" = (sensitive)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. Given that both of the above solve the issue in a straightforward way, I'm gonna close the ticket as it can be solved with a terraform-native feature without any modification necessary to the provider anymore. |
no more sensitive_triggers again? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Terraform v0.12.20
Affected Resource(s)
Terraform Configuration Files
Debug Output
Expected Behavior
A way to provide sensitive values as triggers, so that the plan does only print
(sensitive)
and not the actual value of a sensitive trigger.Actual Behavior
No way to define sensitive triggers.
Steps to Reproduce
terraform apply
Important Factoids
The null_resource should also take a
sensitive_triggers
map that is obfuscated in the plan output.Other providers, like the local provider use a similar approach:
https://www.terraform.io/docs/providers/local/r/file.html
The text was updated successfully, but these errors were encountered: