lorengordon
commented
6 months ago I have a similar request for spacelift_mounted_file. It's irritating not to see the diff in the plan.
Open atorrescogollo opened 7 months ago
lorengordon
commented
6 months ago I have a similar request for spacelift_mounted_file. It's irritating not to see the diff in the plan.
marcinwyszynski
commented
5 months ago Thanks for raising this @atorrescogollo and @lorengordon !
Sadly, this is a limitation of the Terraform provider SDK - as you can see here, there is no way that the sensitivity of the "value" field can be conditional on some other variable.
Thus, the only way to show plaintext variables in the logs, and not show the secrets, would be to have two separate resources for environment variables (eg. spacelift_plaintext_envvar and spacelift_secret_envvar) and two separate resources for mounted files (eg. spacelift_plaintext_mounted_file and spacelift_secret_mounted_file).
atorrescogollo
commented
5 months ago Thanks @marcinwyszynski . That makes sense. It also might be worth noting that there is a terraform-plugin-sdk issue opened:
I'm personally ok with having the additional plaintext resource since seeing the variables in the plan is quite critical in most of the cases. They are the actual inputs to the stack and most of them won't be secrets.
In the end, that will probably go inside a module anyway so you can create one resource or the other depending on the write_only setting from some variable. And I think recreating them is not that big task since it would be just like using terraform.
marcinwyszynski
commented
5 months ago Fair, I'll mark it as a nice starter task for one of our new devs.
Since the environment variable value is marked always as sensitive, you are not able to see the actual value in the plan. And, especially when you're passing complex data or doing more than just passing a primitive value (e.g.: interpolation from other variables), it can be very hard to debug.
I think it should be marked as sensitive only when write_only is enabled. That will be more coherent to the Spacelift UI since there you can see any env var value that is not marked as write_only.