terraform-aws-managed-service-grafana icon indicating copy to clipboard operation
terraform-aws-managed-service-grafana copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Error: Output refers to sensitive values: workspace_api_keys

Open paulsjohnson91 opened this issue 7 months ago β€’ 1 comments

Description

Using OpenTofu, it has stricter requirements on sensitive values, this module has an output

output "workspace_api_keys" {
  description = "The workspace API keys created including their attributes"
  value       = aws_grafana_workspace_api_key.this
}

This value is sensitive and should be labelled as such.

β•·
β”‚ Error: Output refers to sensitive values
β”‚ 
β”‚   on outputs.tf line 29:
β”‚   29: output "workspace_api_keys" {
β”‚ 
β”‚ To reduce the risk of accidentally exporting sensitive data that was
β”‚ intended to be only internal, OpenTofu requires that any root module output
β”‚ containing sensitive data be explicitly marked as sensitive, to confirm
β”‚ your intent.
β”‚ 
β”‚ If you do intend to export this data, annotate the output value as
β”‚ sensitive by adding the following argument:
β”‚     sensitive = true
β•΅

Fix is to just update the output to be sensitive

output "workspace_api_keys" {
  description = "The workspace API keys created including their attributes"
  value       = aws_grafana_workspace_api_key.this
  sensitive   = true
}

If your request is for a new feature, please use the Feature request template.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]:

  • Terraform version: Open Tofu (1.8.3) terragrunt (v0.67.16)

  • Provider version(s): hashicorp/aws v5.93.0

Reproduction Code [Required]

inputs = { name = "AuxGrafana" workspace_alias = "AuxGrafana" stack_set_name = "AuxGrafana" description = "AWS Managed Grafana" account_access_type = "CURRENT_ACCOUNT" authentication_providers = ["SAML"] permission_type = "SERVICE_MANAGED" data_sources = ["CLOUDWATCH", "PROMETHEUS", "XRAY"] notification_destinations = ["SNS"] vpc_configuration = { subnet_ids = [for subnet in include.region.locals.private_subnets : subnet.SubnetId] } create_iam_role = true iam_role_name = "aws_managed_grafana" use_iam_role_name_prefix = true iam_role_description = "aws managed grafana role" iam_role_path = "/grafana/" iam_role_force_detach_policies = true enable_alerts = true associate_license = false

Workspace API keys

workspace_api_keys = { "viewer" = { key_name = "viewer" key_role = "VIEWER" seconds_to_live = 3600 } "editor" = { key_name = "editor" key_role = "EDITOR" seconds_to_live = 3600 } "admin" = { key_name = "admin" key_role = "ADMIN" seconds_to_live = 3600 } }

Workspace service accounts

workspace_service_accounts = { viewer = { grafana_role = "VIEWER" } editor = { grafana_role = "EDITOR" } admin = { grafana_role = "ADMIN" } }

Workspace SAML configuration

saml_admin_role_values = ["gc-sre-sas"]

saml_editor_role_values = ["editor"]

saml_email_assertion = "mail"

saml_groups_assertion = "groups"

saml_login_assertion = "mail" saml_name_assertion = "displayName"

saml_org_assertion = "org"

saml_role_assertion = "groups" saml_idp_metadata_url = "https://url"

}

Steps to reproduce the behavior:

Running apply on any valid inputs for AWS Managed Grafana will fail on OpenTofu because the field is sensitive. It will not fail on Terraform currently but will in the future when they enforce the same and is best practice.

Expected behavior

Can deploy AWS Managed Grafana

Actual behavior

β•·
β”‚ Error: Output refers to sensitive values
β”‚ 
β”‚   on outputs.tf line 29:
β”‚   29: output "workspace_api_keys" {
β”‚ 
β”‚ To reduce the risk of accidentally exporting sensitive data that was
β”‚ intended to be only internal, OpenTofu requires that any root module output
β”‚ containing sensitive data be explicitly marked as sensitive, to confirm
β”‚ your intent.
β”‚ 
β”‚ If you do intend to export this data, annotate the output value as
β”‚ sensitive by adding the following argument:
β”‚     sensitive

Additional context

paulsjohnson91 avatar Mar 28 '25 11:03 paulsjohnson91