Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Suddenly sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.x #33055

Closed
Nantero1 opened this issue Apr 20, 2023 · 5 comments · Fixed by #33059
Closed

Suddenly sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.x #33055

Nantero1 opened this issue Apr 20, 2023 · 5 comments · Fixed by #33059
Assignees
@liamcervante
Labels
bug confirmed a Terraform Core team member has reproduced this issue explained a Terraform Core team member has described the root cause of this issue in code

Comments

@Nantero1
Copy link

Nantero1 commented Apr 20, 2023
edited
Loading

Terraform Version

Terraform v1.4.5
on windows_amd64
+ provider registry.terraform.io/confluentinc/confluent v1.36.0
+ provider registry.terraform.io/hashicorp/azuread v2.37.1
+ provider registry.terraform.io/hashicorp/azurerm v3.51.0
+ provider registry.terraform.io/hashicorp/external v2.3.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1

Terraform Configuration Files

terraform {
  required_version = ">= 1.3.2"

  backend "azurerm" {}

  required_providers {
    confluent = {
      source  = "confluentinc/confluent"
      version = "~> 1.36.0"
    }
  }
}

Please note the required_providers, I experience the issue with THIS provider, but it could be a more general issue and other providers might also be affected.

Debug Output

I am sorry, I think it is not needed at the moment. Please let me know if you think debug output is important.

Expected Behavior

Like in previous terraform versions (tested with 1.3.9), resource attributes marked as sensitive by a provider shall be not exposed in the terraform show statement, but masked behind a (sensitive value) placeholder.

Actual Behavior

There was a change in behaviour, in Terraform 1.3.9 resource attributes marked as "sensitive" by a provider were masked by the text (sensitive value). Now - in Terraform 1.4.5 - these values are exposed and can be seen in clear text. No change of provider version happened, the only thing changed was the used Terraform version.

Please see the attached screenshot. On the left hand side the output of Terraform 1.4.5 (values exposed), on the right hand side the output of Terraform 1.3.9 (sensitive values masked). Same code, same provider versions, only the Terraform version changed.

grafik

Steps to Reproduce

  1. Use a terraform module which utilizes attributes marked as sensitive
  2. Use this terraform module to create an example resource
  3. Run "terraform init" and "terraform apply"
  4. Observe the output of terraform show, sensitive values are exposed in latest terraform version.

Additional Context

No response

References

Reported this issue also to the affected provider, in case it is not terraform specific.
@Nantero1 Nantero1 added bug new new issue not yet triaged labels Apr 20, 2023
@Nantero1 Nantero1 changed the title Suddently sensitive values are exposed by "terraform show" in latest Terraform version 1.4.5 Suddently sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.5 Apr 20, 2023
@Nantero1 Nantero1 changed the title Suddently sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.5 Suddenly sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.5 Apr 20, 2023
@Nantero1
Copy link
Author

Nantero1 commented Apr 20, 2023
edited
Loading

Tested all version starting from 1.4.0. All versions starting with 1.4.0 show this behaviour. The breaking change happened between version 1.3.9 and 1.4.0. Will check if I can find other providers besides confluent sufferting from this sensitive resource attribute exposure.

The documentation reads, that:

Note: When using the -json command-line flag, any sensitive values in Terraform state will be displayed in plain text. For more information, see Sensitive Data in State.

But this contradicts the above described behaviour... I see sensitive values even in non-json terraform show output.

Could be, that this is not "a bug", but some serious breaking change, which I am not aware of. Sorry for opening this, if this is the case.

@Nantero1 Nantero1 changed the title Suddenly sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.5 Suddenly sensitive resource attributes are exposed by "terraform show" in latest Terraform version 1.4.x Apr 20, 2023
@felixboehm
Copy link

yes, attributes flagged as sensitive are shown in clear text - this is very dangerous.

@liamcervante liamcervante self-assigned this Apr 20, 2023
@liamcervante liamcervante added confirmed a Terraform Core team member has reproduced this issue and removed new new issue not yet triaged labels Apr 20, 2023
@liamcervante
Copy link
Member

Hi @Nantero1, thanks for filing this.

This is indeed a bug, and we'll have a fix in place for v1.4.6 which should be released next week.

@Nantero1 Nantero1 mentioned this issue Apr 20, 2023
Closed
@liamcervante liamcervante mentioned this issue Apr 20, 2023
Merged
@liamcervante
Copy link
Member

liamcervante commented Apr 20, 2023
edited
Loading

I'll just add a little explainer here for why this happened.

The terraform show -json command is failing to include the sensitive information from the schema in the produced JSON output. This is the case for v1.3 and v1.4, so in v1.3.9 if you run terraform show -json with the reproduction case here you will see that the sensitive fields are missing from the sensitive_values field in the output. As noted by Nantero1 the JSON output doesn't elide sensitive values anyway, so this missing metadata wasn't picked up before now.

The new renderer we launched in 1.4 processes the structured JSON data produced by the terraform show -json command for both the state and the plan while previously the renderer used an internal representation of the state and plan as the starting point. This is why we only started seeing the issue now, as the new renderer required that missing metadata in order to know that a field should be elided.

A workaround for this issue until we release 1.4.6 would be to mark a value as sensitive in the config, either by using the sensitive function or by wrapping the value in a variable marked as sensitive. The state JSON output is correctly including sensitive metadata provided by the configuration, and correctly eliding the required attributes this way.

@liamcervante liamcervante added the explained a Terraform Core team member has described the root cause of this issue in code label Apr 20, 2023
@ajoyacharyya ajoyacharyya mentioned this issue Apr 24, 2023
Closed
@teamterraform teamterraform mentioned this issue Apr 24, 2023
Merged
@github-actions
Copy link
Contributor

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 25, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@liamcervante liamcervante

Labels
bug confirmed a Terraform Core team member has reproduced this issue explained a Terraform Core team member has described the root cause of this issue in code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Include sensitive metadata from the schema when building the json state output hashicorp/terraform
3 participants
@felixboehm @Nantero1 @liamcervante