New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
local_file should not prints sensitive information in the output if sensitive = true #17
Comments
The code at master implements a solution: However it seems its not yet available in Terraform v0.11.10 and provider.local v1.1.0. |
This was implemented in #9 back in March 2018, but has not yet been released. |
@alewando sorry for the slow response here! The core team has been working heads-down on the terraform 0.12 release and unfortunately some things (like this provider!) have bene neglected as a result. I will bookmark this to remind myself to go through the pending PRs and publish a release. Thanks for working on this particular issue, and thanks for your patience! |
@mildwonkey Is there any chance of getting a release cut? We can fork and do a new release but it requires a load of boiler plate in Terraform orchestration to pull in a custom plugin. |
@mildwonkey Again, I call for a release. It's an easy win and could help us a lot. |
@mildwonkey I also think that this would be a fantastic feature, and look forward to its release. 🙂 |
For those looking for a temporary alternative, thats what I did to export credentials for multiple RDS databases (I have a map of database/password and a master password): locals {
databases = "${keys(var.shared_db_databases_passwords)}"
manual_output = {
endpoint = "${module.shared_database.database_endpoint}"
username = "myusername"
password = "${var.shared_db_master_password}"
port = 5432
databases = "${local.databases}"
passwords = "${values(var.shared_db_databases_passwords)}"
}
}
resource "null_resource" "manual_output" {
triggers {
databases = "${join(",", local.databases)}"
}
provisioner "local-exec" {
command = "echo $DATA > manual_output.json"
environment {
DATA = "${jsonencode(local.manual_output)}" # Necessary to hide outputs
}
}
} |
https://github.com/terraform-providers/terraform-provider-local/releases/tag/v1.2.0 is now out, which adds support for |
thanks @invidian ! |
The |
@ShahNewazKhan Are you saying that there should be an attribute |
@unacceptable Imagine you're setting the content of the local_file resource via a different way than actually creating a local_file resource (or you just want to read an existing file). If that content is sensitive in the first place, you would need to access it without showing it directly in the output or in the tfstate. |
I think having this functionality make sense. |
I just created it here: I believe the option should be present in the data structure, so it would be possible not only to get sensitive_content from files defined through local_file resources but also to get it from existing files. |
This issue was originally opened by @mtheus as hashicorp/terraform#18718. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform Configuration Files
Debug Output
Expected Behavior
Sensitive information does not seem to be in the output
Actual Behavior
Steps to Reproduce
terraform init
terraform apply
Complementary
Should apply in all components that print outputs
The text was updated successfully, but these errors were encountered: