search

cloudposse / terraform-aws-ecs-container-definition

Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource
https://cloudposse.com/accelerate
Apache License 2.0
339 stars 244 forks source link

Output refers to sensitive values #133

Closed arnoschutijzer closed 3 years ago

arnoschutijzer commented 3 years ago

Describe the Bug

Running terraform plan and terraform apply using terraform 0.15.0 results in this error message:

│ Error: Output refers to sensitive values
│
│   on .terraform/modules/application.app_container_definition/outputs.tf line 6:
│    6: output "json_map_encoded" {
│
│ Expressions used in outputs can only refer to sensitive values if the sensitive attribute is true.

Expected Behavior

No error when planning / applying.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create a terraform script with a module with github.com/cloudposse/terraform-aws-ecs-container-definition?ref=0.56.0 as the source
  2. Run 'terraform plan'
  3. See error

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

Additional Context

I think this issue is already fixed on master but there was no release. Can we get this released? We'd like to keep the version locked. EDIT: it's not actually fixed yet. I can give it a go but just marking the outputs as sensitive will be a bit too naive probably. 😄

nitrocode commented 3 years ago

Can you expand on your reproducible steps ? What sensitive information are you putting in the module ? Can you remove that information from the module ?

arnoschutijzer commented 3 years ago

Ah, this seems related to using SSM parameters as input in env variables. We do this because we need to trimprefix from the value of that SSM parameter but I guess we can trimprefix when outputting to SSM and use the secrets map.

I can reproduce the issue by planning the following:

provider "aws" {}

data "aws_ssm_parameter" "some_parameter" {
  name = "/some/path"
}

module "container_definition" {
  source = "github.com/cloudposse/terraform-aws-ecs-container-definition?ref=0.56.0"

  container_image = "nginx"
  container_name = "nginx"

  environment = [{
    name = "some_name",
    value = data.aws_ssm_parameter.some_parameter.value
  }]
}
nitrocode commented 3 years ago

I'd remove the ssm parameter from the module input, add it to the modules output (the output is simply json) before passing it to the task definition.

arnoschutijzer commented 3 years ago

That also works. I'll close this out since it's not an issue with the module.

nitrocode commented 3 years ago

You could also try one of the sensitive outputs

https://github.com/cloudposse/terraform-aws-ecs-container-definition#outputs

arnoschutijzer commented 3 years ago

That doesn't work sadly. In the script above I'm not using any outputs of the module so terraform is throwing an error just because the outputs that are not sensitive exist.

nitrocode commented 3 years ago

@arnoschutijzer the best way to do this is to use the map_secrets or secrets input which will make the ecs task retrieve the value from ssm without terraform having to do it.

provider "aws" {}

data "aws_ssm_parameter" "some_parameter" {
  name = "/some/path"
}

module "container_definition" {
  source = "cloudposse/ecs-container-definition/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  container_image = "nginx"
  container_name = "nginx"

  map_secrets = {
    some_name = data.aws_ssm_parameter.some_parameter.arn
  }
}