-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New for_each validation rejects secrets as values #28426
Comments
I can confirm that this is a problem - and moreover, it's doubly annoying because 0.15 now marks some provider outputs as sensitive, for example aws_iam_access_key.ses_smtp_password_v4 is now considered sensitive automatically. |
@WhyNotHugo Thanks for the report! I'm having trouble trying to reproduce this issue. Can you please give a full example of a variable definition and value, and a resource using this? Ideally please use We have been working on some improvements to sensitivity handling in various functions (see #28460 for more details). The upcoming 0.15.1 release might have already fixed this, but I'd like to verify that. |
It does seem like newer versions improved things somewhat (I could remove workarounds for some simpler examples), but it's still pretty easy to confuse sensitivity propagation. This is a simplified example of a real configuration that's still breaking on 0.15.3:
|
@piotr-jagiello Thanks for that example. In this case the problem is the Can you please open another issue with that reproduction case, so that we can track & fix it separately from this issue? Please @ me in the issue. |
@WhyNotHugo I'm confident that this issue has been resolved in 0.15.3, so I'm going to close this for now. If you still see the same problem, please reopen with a config showing the problem and I'll be happy to look into it. Thanks! |
Honestly, I can't think of how to use Here's an actual read-world example though: resource "aws_ssm_parameter" "Secrets" {
for_each = {
for secret in flatten([values(local.secret_params)]) :
secret.name => secret.value
}
name = each.key
type = "SecureString"
value = each.value
}
(This is a very simplified version of things though). |
Oh, looks like this was closed while I was typing 😅 |
Are you still seeing the issue on 0.15.3? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
I use this pattern (and other similar) to handle secrets:
Note that secrets are values in that map but not keys, so resource instance keys include no secrets -- only their names.
Terraform Version
Terraform Configuration Files
Debug Output
Expected Behavior
Terraform should let me use non-secrets as instance keys.
This worked fine in 0.14.10.
Since the keys have no secrets (only the values do), there are no secrets in the resource instance names.
Actual Behavior
The
for_each
validation is overzealous, and rejects secrets being present in map values.It should only reject them being in mapping keys.
Steps to Reproduce
See example above.
Additional Context
This validation actually reduces security. The only way to work around this (and several similar issues) seems to be to UNMARK secrets as such so they'll be allowed here -- but this also means they WILL be exposed.
The pre 0.15 behaviour was actually safer, by no trying to be overprotective.
The text was updated successfully, but these errors were encountered: