terraform-provider-kubernetes
terraform-provider-kubernetes copied to clipboard
hashicorp
kubernetes_manifest object field does not respect sensitive values
Terraform Version, Provider Version and Kubernetes Version
Terraform version: v1.2.1
Kubernetes provider version: v2.11.0
Kubernetes version: 1.21
Affected Resource(s)
- kubernetes_manifest
Terraform Configuration Files
main.tf:
variable "some-secret" {
type = string
sensitive = true
}
locals {
helm_values = templatefile(
"./helm-values/dev-application-services.yaml",
{
test_secret_value = var.some-secret
}
)
}
resource "kubernetes_manifest" "application" {
manifest = {
"apiVersion" = "argoproj.io/v1alpha1"
"kind" = "Application"
"metadata" = {
"name" = "my-app"
"namespace" = "argo-cd"
}
"spec" = {
"source" = {
"helm" = {
"values" = local.helm_values
}
}
}
}
}
helm-values/dev-application-services.yaml:
test: ${test_secret_value}
Debug Output
Here is output of a TF_LOG=DEBUG terraform plan from my local computer, the important lines are line 141 where sensitive output is respected, and then line 270 where it is not.
https://gist.github.com/benjyiw/9df38df10f166fc0c7aeb9b465fd574b
Panic Output
N/A
Steps to Reproduce
- Create a CustomResource with the
kubernetes_manifestresource and add a reference to a secret value -
terraform planorterraform apply
Expected Behavior
I expect the logs of the provider during a terraform plan and terraform apply to not print secret values.
Actual Behavior
The object field of the kubernetes_manifest resource duplicates secret fields which results in them being printed out in logs.
Important Factoids
The Argocd Application CRD is installed in the kubernetes cluster that I tested this with. Any other custom resource would work I believe.
References
N/A, AFAIK
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
I found issue #1528 this morning which is related. There is a suggestion comment to potentially track the sensitive output problem in a separate issue, because the description in #1528 is mostly regarding the verbosity of the output. So I'll leave this open for now, since the concern here is sensitive output being displayed and I believe this issue should be considered a bug and not an enhancement.
I also found https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/146, from the old alpha repo which describes this exact problem.
Hi,
Unfortunately, there isn't much the provider can do about filtering sensitive values. The propagation of the "sensitive" property of a value is handled by Terraform internally and this bit of information about attributes doesn't cross over to the provider domain. In other words, the provider doesn't get informed by Terraform when an attribute is to be considered sensitive.
A solution to this issue needs to involve changes to Terraform itself as well as the protocol it uses to communicate with the providers. It would be helpful if you could open a corresponding issue in the Terraform repository itself so we can open the conversation with that team and build up the case for implementing this.
@alexsomesan in the meantime, would it be possible to add a flag to the kubernetes_manifest resource to tell terraform that the object should be treated as sensitive? This would allow for a way to "manually" tell terraform to not print that output to the console.
Has anyone managed to find a workaround for this? I'm finding it when I want to inject some secrets generated in terraform into some argocd application values 😭
We've this issue here and now, using kubernetes_manifest to declare a ApisixPluginConfig that filter ingress using openid connect, with secret key... Workaround is to don't use kubernetes_manifest 🤦♂️ This kubernetes_manifest is still not really usable, after years since introduction.
