terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

kubernetes_manifest: suppress output for object attribute

Open steveizzle opened this issue 4 years ago • 2 comments

Description

I would like to use kubernetes_manifest to manage the needed CRDs for an helm chart and define a dependency for the chart to those crds. This works fine and i think it would be a good terraform native way, but the Console Output is VERY verbose on big crds. I can hide the output of "manifest" by defining it as sensitive, but there still will be the output of object ( You write in your docs "Once applied, the object attribute contains the state of the resource as returned by the Kubernetes API, including all default values"). When using automation tools like we do (atlantis in combination with github) those huge outputs even broke our PR, as the number of commits exceeds the allowed number of 2500. And imho nobody would want to inspect the differences between old and new CRDs.

So it would be nice to have some way to suppress the output of "object". For example by adding an argument sensitive_object which would make the resulting object sensitive.

Even better would be a solution like here kubectl_manifest

I would also be glad if you have another idea for solving this. So long we are stuck with some kind of local-exec null_resource.

Potential Terraform Configuration

resource "kubernetes_manifest" "crd_alertmanagers" {
    manifest = sensitive(yamldecode(file("${local.crd_path}/alertmanagers.yaml")))
    sensitive_object = true
}

Or

resource "kubernetes_manifest" "crd_alertmanagers" {
    manifest = sensitive(yamldecode(file("${local.crd_path}/alertmanagers.yaml")))
    sensitive_fields = [
        "metadata.annotations.my-secret-annotation"
    ]
}

References

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

steveizzle avatar Dec 02 '21 14:12 steveizzle

+1, such a verbose output isn't always necessary and needlessly adds time to for the state to execute.

chriscasumo avatar Jan 18 '22 10:01 chriscasumo

The issue description mostly focus on avoiding verbose output by the use of sensitive. This could be seen as a misuse of the sensitive semantics, but the current behavior of displaying the whole content of object is that values marked as sensitive under the manifest attribute are displayed in clear text in the object. For security concerns, it would be great to at least keep sensitive values hidden, and there's no issue with the semantics of sensitive about that, quite the opposite.

Maybe the current display of sensitive values should be considered as a bug and be tracked in a separate issue?

tszym avatar Mar 23 '22 11:03 tszym

This isn't something that can be implemented at the provider level. In fact, the output contents of a plan is ultimately decided by Terraform itself so this would be a feature request to Terraform.

Going to close this. Please feel free to open a similar issue in the Terraform repository if there is still interest in this.

alexsomesan avatar Apr 13 '23 14:04 alexsomesan