terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Unwanted changes in sensitive value when running terraform plan

Open PatriQ1414 opened this issue 1 year ago • 1 comments

Terraform Version

Terraform v1.2.7

Terraform Configuration Files

...terraform config...

Debug Output

NA

Expected Behavior

No changes

Actual Behavior

local_file.ssh_key will be updated in-place

~ resource "local_file" "ssh_key" { id = "e18093413cXXXXXXXXXXXXXXXXXXXXXX" # (10 unchanged attributes hidden) }

tls_private_key.pk will be updated in-place

~ resource "tls_private_key" "pk" { id = "97f281183dce4cf6d9425bXXXXXXXXXXXXXXX" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ private_key_openssh = (sensitive value) # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ private_key_pem = (sensitive value) # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ private_key_pem_pkcs8 = (sensitive value) # (7 unchanged attributes hidden) }

module.compute.aws_iam_access_key.data_mig will be updated in-place

~ resource "aws_iam_access_key" "data_mig" { id = "AKXXXXXXXXXXXXXXXXXXX" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ secret = (sensitive value) # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ ses_smtp_password_v4 = (sensitive value) # (3 unchanged attributes hidden) }

module.compute.aws_secretsmanager_secret_version.data_mig_pass will be updated in-place

~ resource "aws_secretsmanager_secret_version" "data_mig_pass" { id = "arn:aws:secretsmanager:eu-west-1:1112223334444secret:User-XXXXXXX-XXXXXX-XXXXX1" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ secret_binary = (sensitive value) # (5 unchanged attributes hidden) }

module.compute.aws_secretsmanager_secret_version.db_main_password["0"] will be updated in-place

~ resource "aws_secretsmanager_secret_version" "db_main_password" { id = "arn:aws:secretsmanager:eu-west-1:1112223334444:secret:Password-XXXX-XXXXX-XXXXXX" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ secret_binary = (sensitive value) # (5 unchanged attributes hidden) }

module.compute.aws_sns_topic_subscription.user will be created

  • resource "aws_sns_topic_subscription" "user" {
    • arn = (known after apply)
    • confirmation_timeout_in_minutes = 1
    • confirmation_was_authenticated = (known after apply)
    • endpoint = "[email protected]"
    • endpoint_auto_confirms = false
    • filter_policy_scope = (known after apply)
    • id = (known after apply)
    • owner_id = (known after apply)
    • pending_confirmation = (known after apply)
    • protocol = "email"
    • raw_message_delivery = false
    • topic_arn = "arn:aws:sns:eu-west-1:11112222233334444:XXXXXXXXXXXXXX }

module.compute.random_password.db_main_password["0"] will be updated in-place

~ resource "random_password" "db_main_password" { # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ bcrypt_hash = (sensitive value) id = "none" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ result = (sensitive value) # (10 unchanged attributes hidden) }

module.loadbalancer.aws_acm_certificate.public["0"] will be updated in-place

~ resource "aws_acm_certificate" "public" { - certificate_authority_arn = "" -> null - early_renewal_duration = "" -> null id = "arn:aws:acm:eu-west-1:111222333344444:certificate/XXXXXXXXX-XXXXXXXXX" # (15 unchanged attributes hidden)

    # (1 unchanged block hidden)
}

module.network.aws_iam_access_key.users will be updated in-place

~ resource "aws_iam_access_key" "users" { id = "AKXXXXXXXXXXXXXXXXXXXXX" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ secret = (sensitive value) # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ ses_smtp_password_v4 = (sensitive value) # (3 unchanged attributes hidden) }

module.network.aws_secretsmanager_secret_version.user will be updated in-place

~ resource "aws_secretsmanager_secret_version" "user" { id = "arn:aws:secretsmanager:eu-west-1:1112223333444444:secret:user-XXXXXXXXXXXXXXXXXXXXXX" # Warning: this attribute value will no longer be marked as sensitive # after applying this change. The value is unchanged. ~ secret_binary = (sensitive value) # (5 unchanged attributes hidden) }

module.network.dome9_cloudaccount_aws.main[0] will be updated in-place

~ resource "dome9_cloudaccount_aws" "main" { id = "6cb67097-af94-4642-ac25-b5bb40442e7a" name = "UK-SITS-UAL-Prod" # (8 unchanged attributes hidden)

  ~ credentials {
      - api_key      = "" -> null
      - iam_user     = "" -> null
      # Warning: this attribute value will no longer be marked as sensitive
      # after applying this change. The value is unchanged.
      ~ secret       = (sensitive value)
        # (3 unchanged attributes hidden)
    }

    # (1 unchanged block hidden)
}

Steps to Reproduce

terraform init terraform plan terraform apply

Additional Context

This only comes up as a warning and doesn't actually change anything

References

No

PatriQ1414 avatar Sep 05 '24 11:09 PatriQ1414

Hi @PatriQ1414,

The version of Terraform you are using is quite old, and there have been many bugs fixed and improvements made since then.

If you can replicate the issue with a current Terraform release, please create a minimal example demonstrating the issue, including the configuration and steps to reproduce.

jbardin avatar Sep 05 '24 18:09 jbardin

Since we have not heard back in a while I'm going to close the issue. If you have any updates regarding the issue, feel free to open a new issue with the requested information. If you have more questions, you can also use the community forum where there are more people ready to help.

Thanks!

jbardin avatar Sep 17 '24 01:09 jbardin

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Oct 17 '24 02:10 github-actions[bot]