Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set secret and ses_smtp_password to sensitive #10908

Merged
merged 2 commits into from
Nov 27, 2019
Merged

Set secret and ses_smtp_password to sensitive #10908

merged 2 commits into from
Nov 27, 2019

Conversation

joshk0
Copy link
Contributor

@joshk0 joshk0 commented Nov 18, 2019
edited
Loading

According to article, we should stop focusing efforts on encrypting state values with PGP keys and instead mark fields as sensitive. According to the article, the effort should be spent instead on protecting state buckets and our team intends to move in this direction.

Therefore, I've gone and set both attributes to sensitive and removed the deprecation notice recommending using the pgp_key technique.

Since people may disagree, I haven't gone so far as to remove the pgp_key support. I think it should remain for as long as the maintainers want to promote people using this feature and as long as it doesn't seem contrarian compared to official Hashicorp doctrine.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

Un-deprecated the `secret` output attribute of `aws_iam_access_key`, and marked
the `secret` and `ses_smtp_password` attributes as `sensitive` instead, according
to [Terraform best practice](https://www.terraform.io/docs/extend/best-practices/sensitive-state.html).
`pgp_key` attribute remains usable and will continue to have the same behavior.

Output from acceptance testing:

▶ make testacc TESTARGS='-run=TestAccAWSAccess*'                   
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestAccAWSAccess* -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSAccessKey_basic
=== PAUSE TestAccAWSAccessKey_basic
=== RUN   TestAccAWSAccessKey_encrypted
=== PAUSE TestAccAWSAccessKey_encrypted
=== RUN   TestAccAWSAccessKey_inactive
=== PAUSE TestAccAWSAccessKey_inactive
=== CONT  TestAccAWSAccessKey_basic
=== CONT  TestAccAWSAccessKey_inactive
=== CONT  TestAccAWSAccessKey_encrypted
--- PASS: TestAccAWSAccessKey_basic (15.29s)
--- PASS: TestAccAWSAccessKey_encrypted (15.33s)
--- PASS: TestAccAWSAccessKey_inactive (26.03s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	27.965s
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap	0.352s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags	0.223s [no tests to run]
...

@joshk0
Set secret and ses_smtp_password to sensitive
14bc571 
According to [article](https://www.terraform.io/docs/extend/best-practices/sensitive-state.html), we should stop focusing efforts on encrypting state values with PGP keys and instead mark fields as sensitive. According to the article, the effort should be spent instead on protecting state buckets and our team intends to move in this direction.

Therefore, I've gone and set both attributes to sensitive and removed the deprecation notice recommending using the `pgp_key` technique.

Since people may disagree, I haven't gone so far as to remove the `pgp_key` support. I think it should remain for as long as the maintainers want to promote people using this feature and as long as it doesn't seem contrarian compared to official Hashicorp doctrine.
@ghost ghost added needs-triage Waiting for first response or review from a maintainer. size/XS Managed by automation to categorize the size of a PR. service/iam Issues and PRs that pertain to the iam service. labels Nov 18, 2019
@joshk0 joshk0 marked this pull request as ready for review November 18, 2019 04:18
@joshk0 joshk0 requested a review from a team November 18, 2019 04:18
@joshk0
Copy link
Contributor Author

joshk0 commented Nov 18, 2019

Additional Testing: After replacing the provider with the modified one I compiled, here is what the plan looks like:

  # aws_iam_access_key.abcdef is tainted, so must be replaced
-/+ resource "aws_iam_access_key" "abcdef" {
      + encrypted_secret  = (known after apply)
      ~ id                = "AKIAY3WDEADBEEFQH2EU" -> (known after apply)
      + key_fingerprint   = (known after apply)
      ~ secret            = (sensitive value)
      ~ ses_smtp_password = (sensitive value)
      ~ status            = "Active" -> (known after apply)
        user              = "abcdef"
    }

Before, secret and ses_smtp_password were visible in the clear.

@ghost ghost added the documentation Introduces or discusses updates to documentation. label Nov 18, 2019
@joshk0
Copy link
Contributor Author

joshk0 commented Nov 26, 2019

@bflad
Could I request triage of this ticket? I'm not sure who else to ask but have observed many other PRs filed and merged after mine was originally filed. I am eager to do any legwork that is required to make the process easy for you. Please let me know and thanks.

@gdavison gdavison self-assigned this Nov 27, 2019
@gdavison gdavison removed the needs-triage Waiting for first response or review from a maintainer. label Nov 27, 2019
gdavison
gdavison approved these changes Nov 27, 2019
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this, @joshk0. We will be merging this for the next release, expected late next week, though the schedule may be affected by AWS re:Invent

@gdavison gdavison added this to the v2.41.0 milestone Nov 27, 2019
@gdavison gdavison merged commit e6bc8e9 into hashicorp:master Nov 27, 2019
gdavison added a commit that referenced this pull request Nov 27, 2019
@gdavison
Update CHANGELOG for #10908
bf79298
@gdavison gdavison removed their assignment Nov 28, 2019
@ghost
Copy link

ghost commented Dec 4, 2019

This has been released in version 2.41.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gdavison gdavison gdavison approved these changes

Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
v2.41.0
Development

Successfully merging this pull request may close these issues.
2 participants
@joshk0 @gdavison