Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sensitive_values incorrect in JSON plan output #34323

Closed
sysedwinistrator opened this issue Nov 29, 2023 · 2 comments · Fixed by #34567
Closed

sensitive_values incorrect in JSON plan output #34323

sysedwinistrator opened this issue Nov 29, 2023 · 2 comments · Fixed by #34567
Labels
bug confirmed a Terraform Core team member has reproduced this issue explained a Terraform Core team member has described the root cause of this issue in code v1.6 Issues (primarily bugs) reported against v1.6 releases

Comments

@sysedwinistrator
Copy link

Terraform Version

Terraform v1.6.4-dev
on darwin_arm64

Your version of Terraform is out of date! The latest version
is 1.6.5. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source = "hashicorp/vault"
    }
  }
}

resource vault_generic_secret "test" {
  path = "foo/bar/baz"
  data_json = jsonencode({
    foo = "bar"
    null_key = null
  })
}

Debug Output

https://gist.github.com/sysedwinistrator/6c146fc3904a266d691330929aafa673

Expected Behavior

sensitive_values should look like this:

  "sensitive_values": {
    "data": true,
    "data_json": true
  }

According to @alisdair (link to comment), {} does NOT mean the value is sensitive for an object, and only true means that the value sensitive:

For a value to be considered sensitive, there must be a corresponding true value at the appropriate location

Actual Behavior

sensitive_values is incorrect:

  • data (computed value, apparently only available after apply) should be listed under sensitive_values with value true (instead of {}
  • data_json should also be listed under sensitive_values, with the value being true

JSON Plan:

{
  "configuration": {
    "provider_config": {
      "vault": {
        "full_name": "registry.terraform.io/hashicorp/vault",
        "name": "vault"
      }
    },
    "root_module": {
      "resources": [
        {
          "address": "vault_generic_secret.test",
          "expressions": {
            "data_json": {},
            "path": {
              "constant_value": "foo/bar/baz"
            }
          },
          "mode": "managed",
          "name": "test",
          "provider_config_key": "vault",
          "schema_version": 1,
          "type": "vault_generic_secret"
        }
      ]
    }
  },
  "errored": false,
  "format_version": "1.2",
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "vault_generic_secret.test",
          "mode": "managed",
          "name": "test",
          "provider_name": "registry.terraform.io/hashicorp/vault",
          "schema_version": 1,
          "sensitive_values": {
            "data": {}
          },
          "type": "vault_generic_secret",
          "values": {
            "data_json": "{\"foo\":\"bar\",\"null_key\":null}",
            "delete_all_versions": false,
            "disable_read": false,
            "namespace": null,
            "path": "foo/bar/baz"
          }
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "vault_generic_secret.test",
      "change": {
        "actions": [
          "create"
        ],
        "after": {
          "data_json": "{\"foo\":\"bar\",\"null_key\":null}",
          "delete_all_versions": false,
          "disable_read": false,
          "namespace": null,
          "path": "foo/bar/baz"
        },
        "after_sensitive": {
          "data": true,
          "data_json": true
        },
        "after_unknown": {
          "data": true,
          "id": true
        },
        "before": null,
        "before_sensitive": false
      },
      "mode": "managed",
      "name": "test",
      "provider_name": "registry.terraform.io/hashicorp/vault",
      "type": "vault_generic_secret"
    }
  ],
  "terraform_version": "1.6.4-dev",
  "timestamp": "2023-11-29T14:48:16Z"
}

Steps to Reproduce

  1. terraform init
  2. terraform plan -out plan.out
  3. terraform show -json plan.out

Additional Context

I originally encountered this bug inside a larger Terraform codebase that is using Terraform version 1.3.5 and Vault provider version 3.11. There the issue is present for all vault_generic_secret resources, however, since the resources have already been applied, the data value is already known and sensitive_values look different in that case:

  "sensitive_values": {
    "data": {},
    "data_json": true
  }

References

No response

@sysedwinistrator sysedwinistrator added bug new new issue not yet triaged labels Nov 29, 2023
@alisdair alisdair added confirmed a Terraform Core team member has reproduced this issue and removed new new issue not yet triaged labels Nov 29, 2023
@alisdair
Copy link
Contributor

Thanks for the report! I can reproduce this behaviour, which as you point out is incorrect.

I think the root cause is that Terraform is inconsistently marking resource values which the provider schema defines as sensitive (as opposed to those which are sensitive due to either input variable sensitivity, or the sensitive() function). This trickles down to the JSON plan output, which also inconsistently applies these marks—only for resource_changes at present. I believe that we shouldn't need to rely on the provider schema at the JSON plan output level, and instead should expect values in the plan always to have sensitive marks where appropriate.

@alisdair alisdair added the explained a Terraform Core team member has described the root cause of this issue in code label Nov 29, 2023
@apparentlymart apparentlymart added the v1.6 Issues (primarily bugs) reported against v1.6 releases label Nov 30, 2023
Copy link
Contributor

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug confirmed a Terraform Core team member has reproduced this issue explained a Terraform Core team member has described the root cause of this issue in code v1.6 Issues (primarily bugs) reported against v1.6 releases
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants