terraform-aws-vpn-gateway icon indicating copy to clipboard operation
terraform-aws-vpn-gateway copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

fix: Set `vpn_connection_customer_gateway_configuration` output to sensitive

Open lmpardey opened this issue 3 years ago β€’ 4 comments

Description

The module output vpn_connection_customer_gateway_configuration is set as sensitive.

Motivation and Context

Referencing the output vpn_connection_customer_gateway_configuration in another output results in an error message that this referenced value contains sensitive information and should be marked as sensitive.

Using the updated example minimal-vpn-gateway to reference the output results in the following error (before the PR):

$ terraform apply
β•·
β”‚ Error: Output refers to sensitive values
β”‚
β”‚   on outputs.tf line 36:
β”‚   36: output "vpn_connection_customer_gateway_configuration" {
β”‚
β”‚ To reduce the risk of accidentally exporting sensitive data that was intended to be only
β”‚ internal, Terraform requires that any root module output containing sensitive data be
β”‚ explicitly marked as sensitive, to confirm your intent.
β”‚
β”‚ If you do intend to export this data, annotate the output value as sensitive by adding
β”‚ the following argument:
β”‚     sensitive = true

Following the advice shown by Terraform, this PR sets the output in the root module to sensitive.

Breaking Changes

None known.

How Has This Been Tested?

  • [x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • [x] I have tested and validated these changes using one or more of the provided examples/* projects
  • [x] I have executed pre-commit run -a on my pull request

lmpardey avatar Jun 24 '22 11:06 lmpardey

Maybe instead of setting this output to sensitive you could use the nonsensitive() to mimic the default behavior without hiding the output as sensitive. https://www.terraform.io/language/functions/nonsensitive

iamnicolasvdb avatar Jul 01 '22 09:07 iamnicolasvdb

@iamnicolasvdb it should be the choice of the implementer whether the sensitive value is displayed in the command-line output. I would not make it a default. Forcing the output as nonsensitive forces this choice on the implementer of the module.

The AWS provider may expose all the attributes of a resource as nonsensitive by default, but this does not mean it is a good idea. Terraform shows the warning for this attribute for a reason. The Terraform documentation recommends to mark any outputs which contain sensitive information as sensitive.

This PR makes the module comply with the requirements by Terraform that outputs containing sensitive data should use the sensitive function. This will let the root module be referenced in other modules or used in other tools that integrate Terraform without breaking, since it is not following the requirements of marking the output as sensitive.

lmpardey avatar Jul 04 '22 08:07 lmpardey

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Aug 04 '22 00:08 github-actions[bot]

Still awaiting for review. Comment to keep the PR open.

lmpardey avatar Aug 04 '22 10:08 lmpardey

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Sep 05 '22 00:09 github-actions[bot]

This PR was automatically closed because of stale in 10 days

github-actions[bot] avatar Sep 16 '22 00:09 github-actions[bot]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 13 '22 02:11 github-actions[bot]