search

Azure / terraform-provider-azapi

Terraform provider for Azure Resource Manager Rest API
https://registry.terraform.io/providers/Azure/azapi/latest
Mozilla Public License 2.0
193 stars 51 forks source link

hide sensitive values from response_export_values of azapi_resource_action #574

Open oocx opened 3 months ago

oocx commented 3 months ago

I'm using azapi_resource_action to generate a key pair:

resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
  resource_id = azapi_resource.admin_user_ssh_public_key.id
  action      = "generateKeyPair"
  method      = "POST"

  response_export_values  = ["publicKey", "privateKey"]

}

The generated private key is shown in my terraform plan:

-/+ resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
      ~ id                     = "/subscriptions/.../providers/Microsoft.Compute/sshPublicKeys/mykey/generateKeyPair" -> (known after apply)
      ~ output                 = {
          - privateKey = <<-EOT
                -----BEGIN RSA PRIVATE KEY-----
                ...

How can I mark the privateKey attribute as sensitive, so that it is not shown in the terraform plan?

ms-henglu commented 3 months ago

Hi @oocx ,

Thank you for taking time to report this issue.

Unfortunately, user couldn't mark a resource's field as sensitive. And from the provider's perspective, the terraform protocol doesn't support marking a field as sensitive conditionally either.

Related issue: https://github.com/hashicorp/terraform-plugin-sdk/issues/736