search

orange-cloudfoundry / terraform-provider-credhub

This terraform provider let you create and retrieve credentials from credhub
Apache License 2.0
8 stars 2 forks source link

Mark datasource attributes as sensitive #5

Open gberche-orange opened 6 years ago

gberche-orange commented 6 years ago

Sensitive fields might benefit from being marked as sensitive would redact them in logs/outputs

ArthurHlt commented 6 years ago

Which fields should be marked as sensitive ?

Data source are here to be used for other provider and computed fields are not shown (and anyway they would potentially leak in other provider if not marked as sensitive).

Using generic resource is already a failure because credentials are written directly in tf file and i chose to follow vault on this one: https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/resource_generic_secret.go#L35-L44

Others resources doesn't store any secret in their fields.

gberche-orange commented 6 years ago

Which fields should be marked as sensitive ?

The datasource fields such as credhub_value.value credhub_json.json credhub_password.password ...

This mimics the behavior opted for AWS secrets manager datasource https://github.com/terraform-providers/terraform-provider-aws/blob/b1a915bcbeb2566a8f81b37bc6c62e890c36bb5f/aws/data_source_aws_secretsmanager_secret_version.go#L22-L25

True that vault provider does not seem yet to mark data source fields as sensitive.

I understand that marking sensitive datasource fields as sensitive might help future version of vault to be smarter in handling these values such as encrypting these fields in the backend.

I agree this might not be a priority.