jason-johnson / azure-pipelines-tasks-terraform

Azure Pipelines extension for Terraform
MIT License
127 stars 55 forks source link

Terraform show doesn't show #59

Open GeorgePalacios opened 3 years ago

GeorgePalacios commented 3 years ago

Describe the bug When running Terraform show via a Devops release pipeline, no output is produced, past generic warnings.

As an example, the below output is received - I can see a destroy will occur, but where is the actual output from terraform show?

To Reproduce Steps to reproduce the behavior:

  1. Setup pipeline as image
  2. Execute pipeline
  3. See logs below

Expected behavior A human-readable output in the logs for the terraform show step

Pipeline Logs

2021-06-23T10:17:49.8546136Z ##[debug]Evaluating condition for step: 'terraform show'
2021-06-23T10:17:49.8548074Z ##[debug]Evaluating: succeeded()
2021-06-23T10:17:49.8548578Z ##[debug]Evaluating succeeded:
2021-06-23T10:17:49.8549696Z ##[debug]=> True
2021-06-23T10:17:49.8550348Z ##[debug]Result: True
2021-06-23T10:17:49.8551093Z ##[section]Starting: terraform show
2021-06-23T10:17:49.8664654Z ==============================================================================
2021-06-23T10:17:49.8664964Z Task         : Terraform CLI
2021-06-23T10:17:49.8665228Z Description  : Execute terraform cli commands
2021-06-23T10:17:49.8665454Z Version      : 0.6.25
2021-06-23T10:17:49.8665662Z Author       : Charles Zipp
2021-06-23T10:17:49.8665862Z Help         : 
2021-06-23T10:17:49.8666138Z ==============================================================================
2021-06-23T10:17:49.8720848Z ##[debug]Using node path: C:\agents\2.187.2\externals\node\bin\node.exe
2021-06-23T10:17:50.0733662Z ##[debug]agent.TempDirectory=D:\a\_temp
2021-06-23T10:17:50.1088397Z ##[debug]loading inputs and endpoints
2021-06-23T10:17:50.1095139Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2021-06-23T10:17:50.1095814Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2021-06-23T10:17:50.1128665Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2021-06-23T10:17:50.1129331Z ##[debug]loading INPUT_AIINSTRUMENTATIONKEY
2021-06-23T10:17:50.1137317Z ##[debug]loading INPUT_ALLOWTELEMETRYCOLLECTION
2021-06-23T10:17:50.1138430Z ##[debug]loading INPUT_BACKENDAZURERMSTORAGEACCOUNTSKU
2021-06-23T10:17:50.1139449Z ##[debug]loading INPUT_BACKENDTYPE
2021-06-23T10:17:50.1139956Z ##[debug]loading INPUT_COMMAND
2021-06-23T10:17:50.1150959Z ##[debug]loading INPUT_COMMANDOPTIONS
2021-06-23T10:17:50.1151534Z ##[debug]loading INPUT_ENSUREBACKEND
2021-06-23T10:17:50.1152546Z ##[debug]loading INPUT_INPUTTARGETPLANORSTATEFILEPATH
2021-06-23T10:17:50.1153188Z ##[debug]loading INPUT_RUNAZLOGIN
2021-06-23T10:17:50.1154988Z ##[debug]loading INPUT_WORKINGDIRECTORY
2021-06-23T10:17:50.1155680Z ##[debug]loading INPUT_WORKSPACESUBCOMMAND
2021-06-23T10:17:50.1156561Z ##[debug]loaded 14
2021-06-23T10:17:50.1157033Z ##[debug]Agent.ProxyUrl=undefined
2021-06-23T10:17:50.1157927Z ##[debug]Agent.CAInfo=undefined
2021-06-23T10:17:50.1158550Z ##[debug]Agent.ClientCert=undefined
2021-06-23T10:17:50.1168185Z ##[debug]Agent.SkipCertValidation=undefined
2021-06-23T10:17:50.3865447Z ##[debug]allowTelemetryCollection=false
2021-06-23T10:17:50.3866945Z ##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/medicalprotection/
2021-06-23T10:17:50.3872770Z ##[debug]SYSTEMVSSCONNECTION auth param ACCESSTOKEN = ***
2021-06-23T10:17:50.3873511Z ##[debug]Agent.ProxyUrl=undefined
2021-06-23T10:17:50.3909472Z ##[debug]command=show
2021-06-23T10:17:50.3911466Z ##[debug]command=show
2021-06-23T10:17:50.3917463Z ##[debug]workingDirectory=D:\a\r1\a\Terraform-Recovery-Services-Composition\drop
2021-06-23T10:17:50.3924036Z ##[debug]which 'terraform'
2021-06-23T10:17:50.3932065Z ##[debug]found: 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.3933757Z ##[debug]which 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.3936420Z ##[debug]found: 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.3938875Z ##[debug]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe arg: version
2021-06-23T10:17:50.3943689Z ##[debug]exec tool: C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe
2021-06-23T10:17:50.3944373Z ##[debug]arguments:
2021-06-23T10:17:50.3944921Z ##[debug]   version
2021-06-23T10:17:50.3951189Z [command]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe version
2021-06-23T10:17:50.5199712Z Terraform v1.0.0
2021-06-23T10:17:50.5208403Z on windows_amd64
2021-06-23T10:17:50.5250496Z + provider registry.terraform.io/hashicorp/azurerm v2.64.0
2021-06-23T10:17:50.5251977Z + provider registry.terraform.io/hashicorp/random v3.1.0
2021-06-23T10:17:50.5253397Z 
2021-06-23T10:17:50.5254132Z ##[debug]Exit code 0 received from tool 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.5407482Z ##[debug]STDIO streams have closed for tool 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.5408999Z ##[debug]command=show
2021-06-23T10:17:50.5540842Z ##[debug]secureVarsFile=undefined
2021-06-23T10:17:50.5543211Z ##[debug]secureVarsFile=undefined
2021-06-23T10:17:50.5544161Z ##[debug]secure file name for id undefined = undefined
2021-06-23T10:17:50.5573128Z ##[debug]commandOptions=-no-color
2021-06-23T10:17:50.5574198Z ##[debug]commandOptions=-no-color
2021-06-23T10:17:50.5576157Z ##[debug]inputTargetPlanOrStateFilePath=D:\a\r1\a/Terraform-Recovery-Services-Composition/drop/plan.tfplan
2021-06-23T10:17:50.5577157Z ##[debug]command=show
2021-06-23T10:17:50.5577921Z ##[debug]workingDirectory=D:\a\r1\a\Terraform-Recovery-Services-Composition\drop
2021-06-23T10:17:50.5578751Z ##[debug]which 'terraform'
2021-06-23T10:17:50.5579545Z ##[debug]found: 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.5580365Z ##[debug]which 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.5581140Z ##[debug]found: 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:50.5582031Z ##[debug]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe arg: show
2021-06-23T10:17:50.5584633Z ##[debug]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe arg: -json
2021-06-23T10:17:50.5587280Z ##[debug]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe arg: -no-color
2021-06-23T10:17:50.5588284Z ##[debug]C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe arg: D:\a\r1\a/Terraform-Recovery-Services-Composition/drop/plan.tfplan
2021-06-23T10:17:50.5589216Z ##[debug]exec tool: C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe
2021-06-23T10:17:50.5589949Z ##[debug]arguments:
2021-06-23T10:17:50.5590613Z ##[debug]   show
2021-06-23T10:17:50.5591249Z ##[debug]   -json
2021-06-23T10:17:50.5592202Z ##[debug]   -no-color
2021-06-23T10:17:50.5593007Z ##[debug]   D:\a\r1\a/Terraform-Recovery-Services-Composition/drop/plan.tfplan
2021-06-23T10:17:52.4319311Z ##[debug]Exit code 0 received from tool 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:52.4324808Z ##[debug]STDIO streams have closed for tool 'C:\hostedtoolcache\windows\terraform\1.0.0\x64\terraform.exe'
2021-06-23T10:17:52.4332854Z ##[debug]inputTargetPlanOrStateFilePath=D:\a\r1\a/Terraform-Recovery-Services-Composition/drop/plan.tfplan
2021-06-23T10:17:52.4334402Z ##[debug]inputTargetPlanOrStateFilePath=D:\a\r1\a/Terraform-Recovery-Services-Composition/drop/plan.tfplan
2021-06-23T10:17:52.4370694Z ##[debug]set TERRAFORM_PLAN_HAS_DESTROY_CHANGES=true
2021-06-23T10:17:52.4373275Z ##[debug]Processed: ##vso[task.setvariable variable=TERRAFORM_PLAN_HAS_DESTROY_CHANGES;isOutput=false;issecret=false;]true
2021-06-23T10:17:52.4374224Z ##[debug]set vso[task.setvariable variable=TERRAFORM_PLAN_HAS_DESTROY_CHANGES] to true
2021-06-23T10:17:52.4402396Z ##[warning]Destroy detected!
2021-06-23T10:17:52.4411444Z ##[debug]Processed: ##vso[task.issue type=warning;]Destroy detected!
2021-06-23T10:17:52.4413970Z ##[debug]allowTelemetryCollection=false
2021-06-23T10:17:52.4415111Z ##[debug]command=show
2021-06-23T10:17:52.4415680Z ##[debug]command=show
2021-06-23T10:17:52.4416238Z ##[debug]executed command 'show'
2021-06-23T10:17:52.4417018Z ##[debug]set TERRAFORM_LAST_EXITCODE=0
2021-06-23T10:17:52.4420641Z ##[debug]Processed: ##vso[task.setvariable variable=TERRAFORM_LAST_EXITCODE;isOutput=false;issecret=false;]0
2021-06-23T10:17:52.4453426Z ##[section]Finishing: terraform show

Agent Configuration

Additional context Our plan files are being produced at build phase - the file is then contained in an artifact and released via a release pipeline - I want a manual intervention in the release pipeline to check the output of terraform show.

charleszipp commented 3 years ago

@GeorgePalacios, show was never intended to display the plan file in a human readable format. It was only implemented to detect destroy operations. Therefore, all that it currently does is run silently (nothing written to stdout) and set a pipeline variable. At the time this was implemented, it was decided to run show silently due to the risk of exposing secrets/sensitive values in the build logs. This behavior is by design.

I would be willing to reconsider this if the human readable output can be access controlled and deleted. See also #60. The build logs will likely not redact secrets or sensitive values given the fact its coming from a third party binary. Would you be ok with show revealing secrets or are there some conditions where you would believe this to be ok?

GeorgePalacios commented 3 years ago

https://www.hashicorp.com/blog/terraform-0-14-adds-the-ability-to-redact-sensitive-values-in-console-output

I assumed this could be used.

On Wed, Jul 21, 2021 at 2:43 PM Charles Zipp @.***> wrote:

@GeorgePalacios https://github.com/GeorgePalacios, show was never intended to display the plan file in a human readable format. It was only implemented to detect destroy operations. Therefore, all that it currently does is run silently (nothing written to stdout) and set a pipeline variable. At the time this was implemented, it was decided to run show silently due to the risk of exposing secrets/sensitive values in the build logs. This behavior is by design.

I would be willing to reconsider this if the human readable output can be access controlled and deleted. See also #60 https://github.com/charleszipp/azure-pipelines-tasks-terraform/issues/60. The build logs will likely not redact secrets or sensitive values given the fact its coming from a third party binary. Would you be ok with show revealing secrets or are there some conditions where you would believe this to be ok?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/charleszipp/azure-pipelines-tasks-terraform/issues/59#issuecomment-884200361, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHCHM6IEGZCH3U3HDFOS3DTY3FG3ANCNFSM47FP7WXA .