terraform-plugin-framework icon indicating copy to clipboard operation
terraform-plugin-framework copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Diagnostics.AddAttributeWarning does not redact value for attribute marked as sensitive

Open alexhung opened this issue 1 year ago • 2 comments

The warning message for an attribute that has been marked as "Sensitive" shows the value in the console.

I suspect similar misbehavior for error message?

Module version

github.com/hashicorp/terraform-plugin-framework v1.8.0

Relevant provider source code

resp.Diagnostics.AddAttributeWarning(
	req.Path,
	"Usage of GPG can't be validated.",
	"Due to limitations of go libraries, your GPG key can't be validated client side.",
)

Terraform Configuration Files

N/A

Debug Output

│ Warning: Usage of GPG can't be validated.
│ 
│   with artifactory_keypair.some-keypair-6543461672124900137,
│   on cdk.tf.json line 2802, in resource.artifactory_keypair.some-keypair-6543461672124900137:
│ 2802:         "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK-----  <redacted> -----END PGP PRIVATE KEY BLOCK-----",
│ 
│ Due to limitations of go libraries, your GPG key can't be validated client
│ side.

Expected Behavior

The value of the sensitive attribute should either be redacted or hidden completely.

Actual Behavior

The value is output verbatim to the console.

Steps to Reproduce

N/A

References

Issue from practitioner: https://github.com/jfrog/terraform-provider-artifactory/issues/977

Source code: https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L114 and https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L284

alexhung avatar May 29 '24 15:05 alexhung

Hi @alexhung 👋 Thank you for raising this.

Setting an attribute Sensitive flag should signal to Terraform across the plugin protocol that it should treat any values of that attribute as sensitive data and not directly display them in output. The configuration context shown in warning and error diagnostics is handled by Terraform and if Terraform is not honoring the attribute sensitive behavior, this issue should be raised in the Terraform issue tracker instead as there is nothing else that the provider side of the protocol can do to change or further influence this display of the value in that context.

As a temporary workaround, you should be able to remove the attribute path information from the diagnostic (e.g. use (diag.Diagnostics).AddWarning() instead) to prevent the direct display of the value. The configuration context shown by Terraform should then only show the configuration line of the resource block instead.

bflad avatar May 29 '24 19:05 bflad

@bflad Thanks for the comment! I'll switch to using AddWarning() for now.

Should I open the issue in https://github.com/hashicorp/terraform or would you do that internally?

alexhung avatar May 29 '24 19:05 alexhung