terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Fix leakage of sensitive variables on HCL syntax error in variable declaration

Open duedahl opened this issue 1 year ago • 4 comments

Issue

If a .tfvar file contains a syntax error the details are printed regardless of potential sensitivity label. This occurs when running terraform apply and/or plan.

Solution

Parse the loaded .tf files, for each variable look up the sensitivity label and create a variable-sensitivity map. The diagnostics for the error caused by erronous syntax contains a context telling us which part of the .tfvar file the error belongs to, use this context to map the error to the appropriate variable. Use the variable name to check sensitivity status from the map we built, and add sensitivity info to the diags ExtraInfo property.

In the diagnostics section, before printing, check the ExtraInfo section for a sensitivity label, if present, redact the sensitive information.

Before

$ ./terraform plan
╷
│ Error: Missing key/value separator
│
│   on terraform.tfvars line 3:
│    1: secretConfig = { "something" = "extremely confidential",
│    2:                 "key" = "val",
│    3:                 "oops" }
│
│ Expected an equals sign ("=") to mark the beginning of the attribute value.
╵

After

$ ./terraformPatched plan
╷
│ Error: Missing key/value separator
│
│   on terraform.tfvars line 3:
│    1: (SENSITIVE)
│
│ Expected an equals sign ("=") to mark the beginning of the attribute value.
╵

Fixes #31946

BUG FIXES

  • terraform plan: Fixed leakage of sensitive values caused by HCL syntax error in .tfvar file.
  • terraform plan: Fixed leakage of sensitive values caused by HCL syntax error in .tfvar file.

duedahl avatar Mar 17 '24 15:03 duedahl

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Mar 17 '24 15:03 hashicorp-cla

Thanks for this submission! I will bring it to triage next week.

crw avatar Mar 18 '24 17:03 crw

Cool, let me know if you need anything from me :)

duedahl avatar Apr 01 '24 21:04 duedahl

Sorry for the late reply. There was concern in triage that this did not fully solve the problem, but I do not have more details or feedback than that. Generally, the team is fairly conservative in making these types of changes due to concerns about unintended consequences. Unfortunately that is all the feedback I have right now, and likely will remain so unless the original issue gets prioritized. Thanks for your contribution!

crw avatar Aug 27 '24 18:08 crw

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar May 13 '25 02:05 github-actions[bot]