Terraform module displays sensitive outputs in plain text garden.io #🌱

Terraform module displays sensitive outputs in pla...

mammoth-flag-56137

01/16/2023, 3:38 AM

Copy code

ℹ Remaining tasks 0
ℹ Remaining tasks 0

Done! 
Done flushing all events and log entries.
success: true
result:
*snip*
          dependencyResults:
            get-service-status.infrastructure-aws:
              type: get-service-status
              key: get-service-status.infrastructure-aws
              name: infrastructure-aws
              description: >-
                getting status for service 'infrastructure-aws' (from module
                'infrastructure-aws')
              completedAt: '2023-01-16T03:10:10.798Z'
              batchId: 2b6e44f4-32f1-42a1-b55a-98ffeed8d8b0
              output:
                state: ready
                version: v-2570f839d4
                outputs:
                  access_key: x <<<<<< sensitive
                  connect_client_registry: >-
                    x
                  connect_db_password: x <<<<<< sensitive
                  connect_s3_document: >-
                    x
                  connect_s3_export: >-
                    x
                  connect_server_registry: >-
                    x
                  keycloak_admin_password: x <<<<<< sensitive
                  keycloak_db_password: x <<<<<< sensitive
                  keycloak_registry: >-
                    x
                  kms_key_id: >-
                    x
                  one_client_registry: >-
                    x
                  one_db_password: x <<<<<< sensitive
                  one_pricing_registry: >-
                    x
                  one_s3_document: >-
                    x
                  one_s3_export: >-
                    x
                  one_s3_pricing_backup: >-
                    x
                  one_server_registry: >-
                    x
                  pricing_db_password: x <<<<<< sensitive
                  secret_key: x <<<<<< sensitive
                  user_arn: >-
                    x

mammoth-flag-56137

01/16/2023, 3:40 AM

outputs.tf

Copy code

output "one_db_password" {
  value     = x
  sensitive = true
}

output "connect_db_password" {
  value     = x
  sensitive = true
}

output "pricing_db_password" {
  value     = x
  sensitive = true
}

output "keycloak_db_password" {
  value     = x
  sensitive = true
}

etc garden.yml

Copy code

kind: Module
description: AWS Shared Product Infrastructure
type: terraform
name: infrastructure-aws
variables:
  production: ${var.aws.production}
  backups: ${var.aws.backups}
  cluster_name: ${var.eks.cluster_name}
  namespace: "${replace(kebabCase(environment.fullName), '-', '_')}"
  dashed_lower_namespace: "${lower(replace(kebabCase(environment.fullName), '_', '-'))}"
  use_default_passwords: ${var.use_default_passwords}
  region: ${var.aws.region}
  s3_region: ${var.aws.s3_region}
  access_key: ${var.aws.access_key}
  secret_key: ${var.aws.secret_key}

  connect_rds: ${var.connect.database}
  one_rds: ${var.one.database}
  pricing_rds: ${var.one.pricing.database}
  keycloak_rds: ${var.keycloak.database}
  vanta_resource_owner: ${var.vanta.resource_owner}

mammoth-flag-56137

01/16/2023, 3:40 AM

garden --env=$ENVIRONMENT $IMAGE_VARS --yes -l=silly -o=yaml deploy

is this because of

-l=silly

mammoth-flag-56137

01/16/2023, 3:42 AM

this is garden

0.12.43

btw, though i dont see anything in the changelog for newer versions about this

quaint-dress-831

01/16/2023, 6:31 PM

Hi @mammoth-flag-56137 I'd submit this as a bug 🐛 on GitHub

mammoth-flag-56137

01/19/2023, 1:38 AM

https://github.com/garden-io/garden/issues/3550

quaint-dress-831

01/23/2023, 1:53 PM

As we now have a GitHub issue for this, I'm marking this as resolved just to help our support team with triage.

Previous Next