terraform-provider-octopusdeploy icon indicating copy to clipboard operation
terraform-provider-octopusdeploy copied to clipboard

Published 20 hours ago verified publisher icon OctopusDeployLabs

Project tenant template variables save secrets as plain text

Open mcasperson opened this issue 1 year ago • 0 comments

Describe the bug

The default_value of Test2 in the tenant project variable template example below is saved as plain text by the Octopus API, whereas it would be saved as a secret when defined via the UI:

resource "octopusdeploy_project" "deploy_frontend_project" {
  auto_create_release                  = false
  default_guided_failure_mode          = "EnvironmentDefault"
  default_to_skip_if_already_installed = false
  description                          = "Test project"
  discrete_channel_release             = false
  is_disabled                          = false
  is_discrete_channel_release          = false
  is_version_controlled                = false
  lifecycle_id                         = data.octopusdeploy_lifecycles.lifecycle_default_lifecycle.lifecycles[0].id
  name                                 = "Test"
  project_group_id                     = octopusdeploy_project_group.project_group_test.id
  tenanted_deployment_participation    = "Untenanted"
  space_id                             = var.octopus_space_id
  included_library_variable_sets       = []
  versioning_strategy {
    template = "#{Octopus.Version.LastMajor}.#{Octopus.Version.LastMinor}.#{Octopus.Version.LastPatch}.#{Octopus.Version.NextRevision}"
  }

  connectivity_policy {
    allow_deployments_to_no_targets = false
    exclude_unhealthy_targets       = false
    skip_machine_behavior           = "SkipUnavailableMachines"
  }

  template {
    name             = "Project Template Variable"
    label            = "Test2"
    default_value    = "Test2"
    display_settings = { "Octopus.ControlType" = "Sensitive" }
  }
}

According to the docs, there is no other field for defining the default value of a sensitive tenant variable template:

[Nested Schema for template](https://registry.terraform.io/providers/OctopusDeployLabs/octopusdeploy/latest/docs/resources/project#nested-schema-for-template)

Required:

* name (String) The name of the variable set by the parameter. The name can contain letters, digits, dashes and periods. Example: ServerName.

Optional:

* default_value (String) A default value for the parameter, if applicable. This can be a hard-coded value or a variable reference.
* display_settings (Map of String) The display settings for the parameter.
* help_text (String) The help presented alongside the parameter input.
* id (String) The unique ID for this resource.
* label (String) The label shown beside the parameter when presented in the deployment process. Example: Server name.

Steps to reproduce

  1. Apply the sample terraform resource above
  2. Open the resulting project
  3. Notice that the default value for the sensitive variable is shown in plain text

Expected behavior The sensitive value should be stored by the API as a secret, and not returned as plain text.

Screenshots

This is an example of a sensitive tenant variable template with a default value shown in plain text:

image image

Environment and versions:

  • OS: Linux
  • Octopus Server Version: 2024.1
  • Terraform Version: 1.6
  • Octopus Terraform Provider Version: 0.14.3

mcasperson avatar Dec 22 '23 10:12 mcasperson