github deploy key is output in the terraform plan

[ruben-cit]

Not sure what the best practise is there but feels like this probably should be marked as sensitive:

[b-per]

My first stance would be that as it is visible in clear text in dbt Cloud, this actually wouldn't be a sensitive value.

The deploy_key doesn't give you read/write access to the repo by itself. This is the value that needs to be manually added on the GitHub side to then provide read/write access from dbt Cloud to the repo.

Do you see it differently?

[will-sargent-dbtlabs]

I agree @b-per.

In fact, if you didn't get the deploy key in the output, you would not be able to copy it to your git provider without accessing it in dbt Cloud,

That being said, if you were automatically adding that deploy key to a git provider without need of manual copy-paste, then treating it as sensitive is also not un-reasonable.

I would propose we make an option in the vars that would toggle the deploy key sensitive bool, defaulting to off, since technically it will eventually have power if installed, and org policy may need to have it redacted.

While there is an essential need to show it in clear text for many users, for others, having it redacted is also desirable.

[github-actions[bot]]

This issue has been marked as Stale because it has been open for 90 days with no activity. If you would like the issue to remain open, please comment on the issue or else it will be closed in 7 days.