terraform-provider-kubernetes-alpha icon indicating copy to clipboard operation
terraform-provider-kubernetes-alpha copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Sensitive data does show up

Open evilezh opened this issue 3 years ago • 3 comments

I do use terraform 0.14.x

So problem seems the follwoing, when I do plan ... there is two things showing up manifest {} object {}

manifest contains properly redacted values while object {} show all sensitive data in plain text.

evilezh avatar Feb 19 '21 13:02 evilezh

Hi and thanks for raising this.

This is unfortunately a side effect of the way this provider works around the confines of Terraform Schema in order to provide the dynamic resource behavior.

I took note of it and will think of possible solutions. Unfortunately there is no immediate workaround at hand.

Harlads [email protected] schrieb am Fr. 19. Feb. 2021 um 2:46 PM:

I do use terraform 0.14.x

So problem seems the follwoing, when I do plan ... there is two things showing up manifest {} object {}

manifest contains properly redacted values while object {} show all sensitive data in plain text.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/146, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIL5G5QU2LIJW2PSQLX3ODS7ZTRPANCNFSM4X4MXPUA .

--

— Sent from my phone.

alexsomesan avatar Feb 19 '21 14:02 alexsomesan

Could you please share the exact configuration and provider output that leads to this. I'd like to experiment with this and see if we can come up with a better explanation / solution.

alexsomesan avatar Feb 24 '21 17:02 alexsomesan

Same issue here.

I have a template file letsencrypt-issuer.tpl.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ${name}
spec:
  acme:
    email: ${email}
    server: ${server}
    privateKeySecretRef:
      name: issuer-account-key-${name}
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: ${api_token_secret_name}
              key: ${api_token_secret_data_key}

I use the yamldecode() and templatefile() functions inside the kubernetes_manifest resource:

resource "kubernetes_manifest" "letsencrypt_issuer_staging" {
  provider = kubernetes-alpha

  manifest = yamldecode(templatefile(
    "${path.module}/letsencrypt-issuer.tpl.yaml",
    {
      "name"                      = "letsencrypt-staging"
      "email"                     = var.letsencrypt_email
      "server"                    = "https://acme-staging-v02.api.letsencrypt.org/directory"
      "api_token_secret_name"     = kubernetes_secret.letsencrypt_cloudflare_api_token_secret.metadata[0].name
      "api_token_secret_data_key" = keys(kubernetes_secret.letsencrypt_cloudflare_api_token_secret.data)[0]
    }
  ))

  depends_on = [helm_release.cert_manager]
}

The var.letsencrypt_email is sensitive but its value is displayed plainly when running terraform plan. I'm pretty sure yamldecode() and templatefile() are not the issue, but I'd have to debug more to be sure.

schnerring avatar Apr 27 '21 02:04 schnerring