Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mongodbatlas_encryption_at_rest outputs IAM secrets to stdout #93

Closed
ardiesaeidi opened this issue Dec 16, 2019 · 4 comments
Closed

mongodbatlas_encryption_at_rest outputs IAM secrets to stdout #93

ardiesaeidi opened this issue Dec 16, 2019 · 4 comments
Labels
enhancement

Comments

@ardiesaeidi
Copy link

Hi,

I'm using the module mongodbatlas_encryption_at_rest to setup encryption and i noticed that the module is outputting my IAM secre to console/stdout. It would be great if this information can be redacted in some way since i wouldn't want this leaked through my logs.

"terraform" 0.11.14
"mongodbatlas" 0.3.1
"template" 2.1.2
"aws" 2.42.0

Terraform will perform the following actions:

  + mongodbatlas_encryption_at_rest.encryption
      id:                                                          <computed>
      aws_kms.%:                                                   "5"
      aws_kms.access_key_id:                                       "SOMEKEY"
      aws_kms.customer_master_key_id:                              "SOMEMASTERKEY"
      aws_kms.enabled:                                             "1"
      aws_kms.region:                                              "US_WEST_2"
      aws_kms.secret_access_key:                                   "oopsmysecrets"
      project_id:                                                  "MYPROJECT"
@marinsalinas
Copy link
Contributor

I totally agree! @ardiesaeidi, these fields should be marked as sensitive in the resource's schema. I'll open a PR with this, as soon as I got any bandwidth to solve more issues.

@themantissa
Copy link
Collaborator

Hi @ardiesaeidi - Feel free to submit a feature request at https://feedback.mongodb.com/forums/924145-atlas?category_id=370723 for specific values to be redacted in the display to stdout. However, please be aware that this information would still be stored in your Terraform state file. There is more than one way we've seen customers mitigate this risk - one common one is to use both Terraform and Vault (see https://www.terraform.io/docs/providers/vault/index.html).

@ardiesaeidi
Copy link
Author

Thanks @marinsalinas @themantissa ! That makes sense and i'll look into Vault. Solving this particular issue would be helpful for my team since we kick off tf changes through jenkins and it stores/logs the console output.

PacoDw added a commit that referenced this issue Feb 10, 2020
@PacoDw
chore: added sensitive attribute to hide important information,issue #93
54db5ee
@PacoDw PacoDw mentioned this issue Feb 10, 2020
Merged
marinsalinas pushed a commit that referenced this issue Feb 18, 2020
@PacoDw @marinsalinas
chore: added sensitive attribute to hide important information,issue #93
989bb12
@themantissa
Copy link
Collaborator

@ardiesaeidi fyi the sensitive info here should now be hidden w/ #93
and our Vault work is now in Vault 1.4, supporting both db users and api keys. Blog may be helpful: https://blog.website.prod.corp.mongodb.com/blog/post/manage-atlas-database-secrets-hashicorp-vault

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ardiesaeidi @marinsalinas @themantissa