Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diagnostics.AddAttributeWarning does not redact value for attribute marked as sensitive #1006

Open
alexhung opened this issue May 29, 2024 · 2 comments
Open

Diagnostics.AddAttributeWarning does not redact value for attribute marked as sensitive #1006

alexhung opened this issue May 29, 2024 · 2 comments
Assignees
@bflad
Labels
bug Something isn't working upstream-terraform Issues that relate to Terraform CLI changes

Comments

@alexhung
Copy link

The warning message for an attribute that has been marked as "Sensitive" shows the value in the console.

I suspect similar misbehavior for error message?

Module version

github.com/hashicorp/terraform-plugin-framework v1.8.0

Relevant provider source code

resp.Diagnostics.AddAttributeWarning(
	req.Path,
	"Usage of GPG can't be validated.",
	"Due to limitations of go libraries, your GPG key can't be validated client side.",
)

Terraform Configuration Files

N/A

Debug Output

│ Warning: Usage of GPG can't be validated.

│   with artifactory_keypair.some-keypair-6543461672124900137,
│   on cdk.tf.json line 2802, in resource.artifactory_keypair.some-keypair-6543461672124900137:
│ 2802:         "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK-----  <redacted> -----END PGP PRIVATE KEY BLOCK-----",

│ Due to limitations of go libraries, your GPG key can't be validated client
│ side.

Expected Behavior

The value of the sensitive attribute should either be redacted or hidden completely.

Actual Behavior

The value is output verbatim to the console.

Steps to Reproduce

N/A

References

Issue from practitioner: jfrog/terraform-provider-artifactory#977

Source code: https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L114 and https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L284
@alexhung alexhung added the bug Something isn't working label May 29, 2024
@bflad
Copy link
Contributor

bflad commented May 29, 2024

Hi @alexhung 👋 Thank you for raising this.

Setting an attribute Sensitive flag should signal to Terraform across the plugin protocol that it should treat any values of that attribute as sensitive data and not directly display them in output. The configuration context shown in warning and error diagnostics is handled by Terraform and if Terraform is not honoring the attribute sensitive behavior, this issue should be raised in the Terraform issue tracker instead as there is nothing else that the provider side of the protocol can do to change or further influence this display of the value in that context.

As a temporary workaround, you should be able to remove the attribute path information from the diagnostic (e.g. use (diag.Diagnostics).AddWarning() instead) to prevent the direct display of the value. The configuration context shown by Terraform should then only show the configuration line of the resource block instead.

@bflad bflad self-assigned this May 29, 2024
@bflad bflad added the upstream-terraform Issues that relate to Terraform CLI changes label May 29, 2024
@alexhung
Copy link
Author

@bflad Thanks for the comment! I'll switch to using AddWarning() for now.

Should I open the issue in https://github.com/hashicorp/terraform or would you do that internally?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bflad bflad

Labels
bug Something isn't working upstream-terraform Issues that relate to Terraform CLI changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexhung @bflad