terraform-linters / tflint

A Pluggable Terraform Linter
Mozilla Public License 2.0
4.96k stars 357 forks source link

Failed to eval a variable marked as sensitive #1457

Closed wata727 closed 2 years ago

wata727 commented 2 years ago

Introduction

Similar to https://github.com/terraform-linters/tflint/issues/1447, An error occurs when a variable marked as sensitive is evaluated.

variable "foo" {
  default = 1
  sensitive = true
}

resource "aws_instance" "foo" {
  instance_type = var.foo
}
Failed to check ruleset; Failed to check `aws_instance_previous_type` rule: value has marks, so it cannot be serialized

Expected Behavior

No error occurs.

However, there is room for consideration as to how to handle the value. This error is about serializing the marked cty.Value, and unmarking it could allow the plugin to disclose sensitive values. It will be necessary to consider whether it is the responsibility of the plugin to handle sensitive values or safety guard should be provided as TFLint.

Actual behavior

Failed to check ruleset; Failed to check `aws_instance_previous_type` rule: value has marks, so it cannot be serialized

Step to Reproduce

  1. Create main.tf
variable "foo" {
  default = 1
  sensitive = true
}

resource "aws_instance" "foo" {
  instance_type = var.foo
}
  1. Create .tflint.hcl
plugin "aws" {
  source = "github.com/terraform-linters/tflint-ruleset-aws"
  version = "0.15.0"
  enabled = true
}
  1. Run tflint --init
  2. Run tflint

Additional Context

% tflint -v
TFLint version 0.38.1
+ ruleset.aws (0.15.0)
% terraform -v
Terraform v1.2.3
on linux_amd64
bryant-finney commented 2 years ago

👋 Hello!

I am also experiencing this issue. From my CI job logs:

$ tflint --version
TFLint version 0.39.3
$ tflint --init
Installing `aws` plugin...
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.16.1)
$ tflint --format=junit . >tflint-junit.xml
Failed to check ruleset; Failed to check `aws_secretsmanager_secret_version_invalid_secret_string` rule: value has marks, so it cannot be serialized

As a workaround, I disabled the aws_secretsmanager_secret_version_invalid_secret_string rule (based on the user guide's Configuring TFLint: rule blocks) by adding the following to my .tflint.hcl configuration file:

rule "aws_secretsmanager_secret_version_invalid_secret_string" {
  enabled = false
}