search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.08k stars 9.47k forks source link

Terraform (0.14) Cloud sensitive variables #27700

Closed mbevc1 closed 3 years ago

mbevc1 commented 3 years ago

Terraform Version

0.14.x

Terraform Configuration Files

variable "key" {
  description = "The KEY passed from TerraformCloud variables"
  type        = string
  sensitive   = false
}

Expected Behavior

When marking a variable in TFC as sensitive and passing value down in the code when executing it should obey sensitive setting in variables.tf .

Actual Behavior

sensitive attribute is overridden and variable marked as sensitive, thus breaking code in for_each loops.

Steps to Reproduce

  1. Create a variable in TFC UI on the workspace and mark it as sensitive (we want encryption and no visibility in UI)
  2. in the code, variables.tf: use sensitive = false
  3. use that variable in for_each loop
  4. Run plan
  5. using 0.14 fails due hard limitation using sensitive values in for_each loops

Additional Context

Examining this behaviour and more testing showed even if not using explicit sensitive value it's still masked in plan as sensitive value and it should succeed, which it did in previous versions. Is this intended behaviour?

chrisarcand commented 3 years ago

This is working as intended. The variable sensitivity declared in the configuration defers to Terraform Cloud when variables are marked as sensitive there, with a bias to retain sensitivity.

The limitations of what you can do with sensitive values, even as they are transformed to something unsensitive, is understandable though - and this may be a use case to note for https://github.com/hashicorp/terraform/pull/27341

mbevc1 commented 3 years ago

Cool, thanks!

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.