Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manual sensitivity override for resource attributes #29331

Open
FWest98 opened this issue Aug 9, 2021 · 4 comments
Open

Manual sensitivity override for resource attributes #29331

FWest98 opened this issue Aug 9, 2021 · 4 comments

Comments

@FWest98
Copy link

FWest98 commented Aug 9, 2021

Current Terraform Version

Terraform v1.0.4
on linux_amd64

Use-cases

A provider output could sometimes be sensitive, but sometimes not. For example: configuration transpilers that convert human-readable formats to machine-readable formats such as the Container Linux transpiler (https://github.com/poseidon/terraform-provider-ct). Usually, the configuration is not sensitive, but sometimes, the configuration is sensitive.

Currently, I am able to mark the input as sensitive, to prevent the data from showing in the console output. However, the output is not marked sensitive by the provider developer (since usually this is non-sensitive indeed), and thus the output does show in my console.

I would like to be able to mark the output as sensitive as well, some kind of manual override of some sort.

Attempted Solutions

I don't know of a way to mark the provider output as sensitive without changing the provider code.

Proposal

I don't know the best way to achieve this. Some first thoughts:

  • Maybe enable a provider to dynamically mark outputs sensitive or not. This would make the specification non-constant, which is not great, but that would allow a flag within the resource like isOutputSensitive to manually change the sensitivity of the respective output.
  • Maybe let the user specify the sensitivity of output variables by hand, by adding a configuration section to the resource itself such as output { some_field { sensitive = true } }, but that might be too complicated

References

Not that I know of

@FWest98 FWest98 added enhancement new new issue not yet triaged labels Aug 9, 2021
@jbardin
Copy link
Member

jbardin commented Aug 9, 2021

Hi @FWest98,

An output value can be marked as sensitive in the configuration, and there is also the sensitive function, which can be used to mark a value as sensitive in any context.

Do either of these existing methods work for your use case?

@jbardin jbardin added the waiting-response An issue/pull request is waiting for a response from the community label Aug 9, 2021
@FWest98
Copy link
Author

FWest98 commented Aug 9, 2021

I know about these, but in my case a provider resource provides an output that is not marked sensitive, that I want to mark sensitive by hand. At the moment, when this provider output changes, it will show the result in my console while I would want it to show (sensitive). I don't believe that is possible, right? The output from this provider resource is not used in other places in my configuration.

@jbardin
Copy link
Member

jbardin commented Aug 9, 2021

Thanks @FWest98, I see what you mean now. No, you cannot change the sensitivity of a resource attribute, as that is part of its schema, which is outside the control of Terraform. This means that changes to the attribute's value will be displayed in the UI, even though those attributes are fed into other values marked as sensitive.

@jbardin jbardin added config and removed waiting-response An issue/pull request is waiting for a response from the community new new issue not yet triaged labels Aug 9, 2021
@jbardin jbardin changed the title Manual sensitivity override for provider output Manual sensitivity override for resource attributes Aug 9, 2021
@FWest98
Copy link
Author

FWest98 commented Aug 9, 2021

Exactly, I missed the "resource attribute" terminology but that is exactly my feature request. I think there are more use cases for this; such as the local_file data source which currently also is not marked sensitive (of course, in this case, file() is an alternative)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants