terraform-k8s icon indicating copy to clipboard operation
terraform-k8s copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support sensitive output (fixes #107)

Open jtyr opened this issue 3 years ago • 1 comments

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

This PR is adding support for sensitive outputs. This closes the issue #107. The bellow Workspace resource been tested with this Terraform module. This PR needs to be rebased once the PR #129 is merged to remove most of the changes in the CRD.

apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
  name: test
spec:
  module:
    source: app.terraform.io/jtyr/test/tfco
    version: 0.0.4
  organization: jtyr
  outputs:
    - key: string
      moduleOutputName: string
    - key: int
      moduleOutputName: int
    - key: float
      moduleOutputName: float
    - key: bool
      moduleOutputName: bool
    - key: "null"
      moduleOutputName: "null"
    - key: list
      moduleOutputName: list
    - key: map
      moduleOutputName: map
    - key: password
      moduleOutputName: password
      sensitive: true
    - key: sensitive
      moduleOutputName: sensitive
      sensitive: true
  omitNamespacePrefix: true
  secretsMountPath: /tmp/secrets
  variables:
    - key: "null"
      value: null value 1

The resulting test-outputs secret then contains those outputs:

$ kubectl get secret -o yaml test-outputs | yq e '.data' -
bool: dHJ1ZQ==
float: MS4yMw==
int: MTIz
list: WyJmb28iLCJiYXIiXQ==
map: eyJiYXIiOiJ4eXoiLCJmb28iOiJhYmMifQ==
"null": Im51bGwgdmFsdWUgMSI=
password: eyJpZCI6Im5vbmUiLCJrZWVwZXJzIjpudWxsLCJsZW5ndGgiOjE2LCJsb3dlciI6dHJ1ZSwibWluX2xvd2VyIjowLCJtaW5fbnVtZXJpYyI6MCwibWluX3NwZWNpYWwiOjAsIm1pbl91cHBlciI6MCwibnVtYmVyIjp0cnVlLCJvdmVycmlkZV9zcGVjaWFsIjoiISMkJSYqKCktXz0rW117fTw+Oj8iLCJyZXN1bHQiOiJaM2k/OlpiUSNSem1Qd2s8Iiwic3BlY2lhbCI6dHJ1ZSwidXBwZXIiOnRydWV9
sensitive: IlNFTlNJVElWRSBURVNUIg==
string: IkhlbGxvIHdvcmxkIg==

As you can see, the password and sensitive outputs are visible in the resulting secret thanks to the sensitive: true set in the Workspace resource.

Release note for CHANGELOG:

Added support for sensitive outputs

jtyr avatar Apr 11 '22 10:04 jtyr

This PR is rebased now.

jtyr avatar Jul 05 '22 09:07 jtyr