Add Sensitive flag to private ssh_key properties

[xsalazar]

Description

When generating Terraform plan outputs for OpsWorks resources that use custom_cookbooks, the private ssh_key is output directly to the console. You can see below the password is already obfuscated; however, the ssh_key will be printed and potentially stored in any CI/CD output or other Terraform pipelines. This property is already ignored from drift-detection because the AWS API does not return this value, given its sensitive nature.

This PR affects aws_opsworks_instance and aws_opsworks_application resources.

Terraform will perform the following actions:

  # aws_opsworks_stack.main will be created
  + resource "aws_opsworks_stack" "main" {
      + agent_version                 = (known after apply)
      + arn                           = (known after apply)
      + berkshelf_version             = "3.2.0"
      + configuration_manager_name    = "Chef"
      + configuration_manager_version = "12"
      + default_availability_zone     = "us-west-2b"
      + default_instance_profile_arn  = "arn:aws:iam::368081326042:instance-profile/aws-opsworks-ec2-role"
      + default_os                    = "Ubuntu 12.04 LTS"
      + default_root_device_type      = "instance-store"
      + default_subnet_id             = (known after apply)
      + hostname_theme                = "Layer_Dependent"
      + id                            = (known after apply)
      + manage_berkshelf              = false
      + name                          = "tf-stack"
      + region                        = "us-west-2"
      + service_role_arn              = "arn:aws:iam::368081326042:role/aws-opsworks-service-role"
      + stack_endpoint                = (known after apply)
      + use_custom_cookbooks          = false
      + use_opsworks_security_groups  = true
      + vpc_id                        = (known after apply)

      + custom_cookbooks_source {
          + password = (sensitive value)
          + revision = "master"
          + ssh_key  = "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAv/1hnOZadSDMbJUVJsqweDwc/4TvhTGf0vl9vtNyjzqUUxgURrSvYrgkvWgAFtQ9J5QDNOPSRvS8F1cu7tR036cecdHPmA+Cxto1qENy8UeYrKzVI55i+vJiSn3i22HW+SbW1raBM+PL3sp9i0BQmCr8eh3i/VdUm92OQHtnjhfLB3GXxnrvytBfI8p2bx9j7mAAjS/X+QncMawPqI9WGuizmuC2cTQHZpZY7j/w+bItoYIVg5qJV3908LNlNZGU6etdEUTWM1VSNxG2Yk6eULeStSA4oSkJSHlwP1/fjab0j1b4HeB/TUFpy3ODrRAhuHxlyFFWMSzePkXLx9d0GwIDAQABAoIBAFlwrj/M5Ik6XWGcVj07IdjxkETNZlQzmRRNHHKAyRbGoIDRb+i8lhQ0WxFN2PTJrS+5+YBzPevGabWp7PhgS45BqaI2rzJUz4TZ9TNNMMgMpaiT37t3Nv9XWckAOmYff2mU2XMvlKNa1QgWZ0QvExzAsdwl/jAttgHixjluBAEib+G3p0Xt2CZMQYNzE9H2gH/nqkysiZ5fC+ngRnM843jAHtrfz9Q0ATBADMJZgZepnMZyldaOV+s5L8UB893UGhrfGrBwlHd5U5ugZ/p74IvOgDd3/pp/2yuyqE+RWz9sakss196aJ0jUXVXjH3F+QDdqqPx0YIJ7S0eM13T7hGkCgYEA4TqpoPFYIVEug4gQ6SDttSMwrbA5uBM13s1vjNpDBFuHWFMqgSRexlIAGCGNhoyTr3xr/34filwGMkMdLw8JFISOIbZ18+qgDOsSW0tXwE03vQgKFNB1ClGEfcd/4B/oLwOe/bqnKVBQSnfp05yqHjdc9XNQeFxLL8LfSv7LIIUCgYEA2jgt108LF+RtdkmSoqLnexJ0jmbPlcYTw1wzuIg49gLdlRxoC+UwPFc+uzMGNxEzr6hGEg3dJVr3+TMLIcTD6usPWzzuL4ReV/IAhCjzgS/WopqURg4cQ+R4MjvTMg8GCZfEQvjcbpKh5ndP/QQEOy7cAP8BLVSG3/ichMcttB8CgYAdzmaebvILzrOKIpqiT4JFw3dwtO6ehqRNbQCDMmtGC1rY/ICWgJquQjHS/7W8BaSRx7R/JlDEPbNwOWOGU8YO2g/5NC1d70HpE77lKA5f25gxwvuaj4+9otYW0y0AGxjeB+ulhmsS05cck8v0/jmhMBB0RyNyGjy1AGQOh7OYBQKBgQCwFq1HFM2K1hVOYkglXPcV5OqRDn1sCo5gEsLZoXL1cZKEhIuhLawixPQl8yKMxSDEGjGQ2Acf4axANuRAt5qwskWOBjjdtx66MNohyznTgVrdk4cakMBWOMKVJplhx6XDj+gbct3NjB2A775oGRmg+Esnsp6siYzcpq0GqANFWQKBgQCyv8KoQXsD8f8XMvicRC42uZXfhlDjOUzpo1O7WQKWBYqPBqz4AHzECdy6djI120bqDOifre1qnBjoHezrG+ejaQOTpocOVwT5Zl7BhjoXQZRGiQXj+2aDtmm0+hpmkjX7jiPcljjs8S8gh+uCWieJoO4JNPk2SXRiePpYgKzdlg==-----END RSA PRIVATE KEY-----"
          + type     = "git"
          + url      = "https://github.com/aws/opsworks-example-cookbooks.git"
          + username = "username"
        }
    }

. . .
Plan: 2 to add, 0 to change, 0 to destroy.

With this PR, Terraform plans will now look like the following, with the private ssh_key properly hidden:

Terraform will perform the following actions:

  # aws_opsworks_stack.main will be created
  + resource "aws_opsworks_stack" "main" {
      + agent_version                 = (known after apply)
      + arn                           = (known after apply)
      + berkshelf_version             = "3.2.0"
      + configuration_manager_name    = "Chef"
      + configuration_manager_version = "12"
      + default_availability_zone     = "us-west-2b"
      + default_instance_profile_arn  = "arn:aws:iam::368081326042:instance-profile/aws-opsworks-ec2-role"
      + default_os                    = "Ubuntu 12.04 LTS"
      + default_root_device_type      = "instance-store"
      + default_subnet_id             = (known after apply)
      + hostname_theme                = "Layer_Dependent"
      + id                            = (known after apply)
      + manage_berkshelf              = false
      + name                          = "tf-stack"
      + region                        = "us-west-2"
      + service_role_arn              = "arn:aws:iam::368081326042:role/aws-opsworks-service-role"
      + stack_endpoint                = (known after apply)
      + use_custom_cookbooks          = false
      + use_opsworks_security_groups  = true
      + vpc_id                        = (known after apply)

      + custom_cookbooks_source {
          + password = (sensitive value)
          + revision = "master"
          + ssh_key  = (sensitive value)
          + type     = "git"
          + url      = "https://github.com/aws/opsworks-example-cookbooks.git"
          + username = "username"
        }
    }

. . .
Plan: 2 to add, 0 to change, 0 to destroy.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Release Note

Release note for CHANGELOG:

Add `Sensitive` flag for private `ssh_key` properties, so they are hidden from plan outputs

Acceptance Test

Output from acceptance testing:

make testacc TESTARGS='-run=TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties' TEST=./aws
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties -timeout 120m
=== RUN   TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties
=== PAUSE TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties
=== CONT  TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties
--- PASS: TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties (37.11s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	37.176s

[bflad]

LGTM, thanks for this, @xsalazar 🚀

Output from acceptance testing:

--- PASS: TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties (24.65s)
--- PASS: TestAccAWSOpsworksStack_noVpcBasic (30.24s)
--- PASS: TestAccAWSOpsworksStack_noVpcCreateTags (34.00s)
--- PASS: TestAccAWSOpsworksApplication (37.73s)
--- PASS: TestAccAWSOpsworksStack_vpc (39.08s)
--- PASS: TestAccAWSOpsWorksStack_classicEndpoints (42.13s)
--- PASS: TestAccAWSOpsworksStack_noVpcChangeServiceRoleForceNew (53.81s)

[ghost]

This has been released in version 2.54.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!