terraform-provider-azapi icon indicating copy to clipboard operation
terraform-provider-azapi copied to clipboard
verified publisher icon Azure

hide sensitive values from response_export_values of azapi_resource_action

Open oocx opened this issue 1 year ago • 1 comments

I'm using azapi_resource_action to generate a key pair:

resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
  resource_id = azapi_resource.admin_user_ssh_public_key.id
  action      = "generateKeyPair"
  method      = "POST"

  response_export_values  = ["publicKey", "privateKey"]
  
}

The generated private key is shown in my terraform plan:

-/+ resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
      ~ id                     = "/subscriptions/.../providers/Microsoft.Compute/sshPublicKeys/mykey/generateKeyPair" -> (known after apply)
      ~ output                 = {
          - privateKey = <<-EOT
                -----BEGIN RSA PRIVATE KEY-----
                ...

How can I mark the privateKey attribute as sensitive, so that it is not shown in the terraform plan?

oocx avatar Aug 09 '24 12:08 oocx

Hi @oocx ,

Thank you for taking time to report this issue.

Unfortunately, user couldn't mark a resource's field as sensitive. And from the provider's perspective, the terraform protocol doesn't support marking a field as sensitive conditionally either.

Related issue: https://github.com/hashicorp/terraform-plugin-sdk/issues/736

ms-henglu avatar Aug 16 '24 02:08 ms-henglu

This feature has been supported: https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/resource_action#sensitive_output-2. I'll close this issue, feel free to reopen it if there's any question.

ms-henglu avatar Jul 23 '25 02:07 ms-henglu