Terraform plan prints sensitive information

0
votes

when performing terraform plan, if an azurerm_kubernetes_cluster (Azure) resource exists in the state, terraform will print some information from kube_config which seems sensitive

Example printout: (all ... values get printed)

kube_config = [
                {
                    client_certificate = (...)
                    client_key = (...)
                    cluster_ca_certificate = (...)
                    host = (...)
                    password = (...)
               }

I'm not exactly sure WHICH of those values are sensitive, but password probably is...right?

On the other hand, terraform does seem to have some knowledge of which values are sensitive, as it does print the client_secret this way:

service_principal {
            client_id     = "(...)"
            client_secret = (sensitive value)
        }

So, my questions would be:

  1. Are those values actually sensitive?
  2. If so, is there a way to instruct terraform to mask those values in the plan?

Versions we are using:

provider "azurerm" {
  version = "~>1.37.0"
}

The reason why this is problematic is that we pipe the plan in a Github PR comment.

Thanks

2
terraformterraform-provider-azure
What version of the Azure provider are you using? This was fixed back in v1.6.0 which was released back in May 2018. Fix was in github.com/terraform-providers/terraform-provider-azurerm/…ydaetskcoR
@ydaetskcoR I updated my question with the version. I do see that those were fixed as per your link, which adds to my confusion..fredericouimet
See github.com/hashicorp/terraform-plugin-sdk/issues/201Martin Atkins

2 Answers

0
votes

Are those values actually sensitive?

Yes, there are sensitive data. Actually they are the config that you need to use to control the AKS cluster. It's the AKS credential. I think it's necessary to output these data, just make a suppose that you only have Terraform and use it to create an AKS cluster, if Terraform does not output the credential, you cannot control your AKS cluster.

If so, is there a way to instruct terraform to mask those values in the plan?

According to the explanation above, you should not wrong about the sensitive data in the Terraform state file. What you need to care about is how to protect the state file. I suggest you store the Terraform state file in Azure storage then you can encrypt it. Follow the steps in Store Terraform state in Azure Storage.

0
votes

Terraform now offers the ability to set variables as sensitive, and outputs as sensitive.

variable example:

variable "user_information" {
  type = object({
    name = string
    address = string
  })
  sensitive = true
}

output example:

output "db_password" {
  value       = aws_db_instance.db.password
  description = "The password for logging in to the database."
  sensitive   = true
}

However, as of July 1, 2021 there is no option to hide plan output for something that isn't derived from a sensitive input.

References:

https://www.hashicorp.com/blog/terraform-0-14-adds-the-ability-to-redact-sensitive-values-in-console-output

https://www.terraform.io/docs/language/values/outputs.html