Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mark secret variables as sensitive #320

Merged
merged 2 commits into from
Oct 23, 2023
Merged

mark secret variables as sensitive #320

merged 2 commits into from
Oct 23, 2023

Conversation

LesnyRumcajs
Copy link
Member

Summary of changes
Changes introduced in this pull request:

  • Applying some sensible practices from the TF book: make secrets in Terraform variables sensitive so they are not logged when running plan or apply. This reduces the chance of an accidental secret leak.

Reference issue to close (if applicable)

Closes

Other information and links

https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables

@LesnyRumcajs LesnyRumcajs requested a review from a team as a code owner October 20, 2023 08:41
@LesnyRumcajs LesnyRumcajs requested review from ruseinov and hanabi1224 and removed request for a team October 20, 2023 08:41
@github-actions
Copy link

Forest: New Relic Infrastructure Plan: success

Show Plan 
data.newrelic_alert_policy.golden_signals: Reading...
newrelic_one_dashboard_json.forest_dashboard["forest-calibnet"]: Refreshing state... [id=Mzk0MjU3NXxWSVp8REFTSEJPQVJEfGRhOjI3NzgzNw]
newrelic_alert_policy.alert: Refreshing state... [id=1214150]
newrelic_notification_channel.slack-channel: Refreshing state... [id=1ef8ab87-4b3f-42f2-99f4-90e6d1c884fb]
newrelic_one_dashboard_json.forest_dashboard["forest-mainnet"]: Refreshing state... [id=Mzk0MjU3NXxWSVp8REFTSEJPQVJEfGRhOjI3NzgzNg]
data.newrelic_alert_policy.golden_signals: Read complete after 2s [id=1097781]
newrelic_nrql_alert_condition.disk_space: Refreshing state... [id=1214150:4556648]
newrelic_nrql_alert_condition.container_issue: Refreshing state... [id=1214150:4556650]
newrelic_workflow.slack_workflow: Refreshing state... [id=f39e9d25-248e-4e81-a7ce-cbe6f6faa20d]
newrelic_nrql_alert_condition.host_down: Refreshing state... [id=1214150:4556649]
newrelic_nrql_alert_condition.forestmainnet_not_working: Refreshing state... [id=1214150:4556651]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # newrelic_nrql_alert_condition.container_issue will be updated in-place
  ~ resource "newrelic_nrql_alert_condition" "container_issue" {
      ~ enabled                        = false -> true
        id                             = "1214150:4556650"
        name                           = "Container Issue"
        # (15 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # newrelic_nrql_alert_condition.disk_space will be updated in-place
  ~ resource "newrelic_nrql_alert_condition" "disk_space" {
      ~ enabled                        = false -> true
        id                             = "1214150:4556648"
        name                           = "High Disk Utilization"
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # newrelic_nrql_alert_condition.forestmainnet_not_working will be updated in-place
  ~ resource "newrelic_nrql_alert_condition" "forestmainnet_not_working" {
      ~ enabled                        = false -> true
        id                             = "1214150:4556651"
        name                           = "Forest not working"
        # (15 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # newrelic_nrql_alert_condition.host_down will be updated in-place
  ~ resource "newrelic_nrql_alert_condition" "host_down" {
      ~ enabled                        = false -> true
        id                             = "1214150:4556649"
        name                           = "Host Down"
        # (15 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # newrelic_one_dashboard_json.forest_dashboard["forest-calibnet"] will be updated in-place
  ~ resource "newrelic_one_dashboard_json" "forest_dashboard" {
        id         = "Mzk0MjU3NXxWSVp8REFTSEJPQVJEfGRhOjI3NzgzNw"
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change. The value is unchanged.
      ~ json       = (sensitive value)
        # (4 unchanged attributes hidden)
    }

  # newrelic_one_dashboard_json.forest_dashboard["forest-mainnet"] will be updated in-place
  ~ resource "newrelic_one_dashboard_json" "forest_dashboard" {
        id         = "Mzk0MjU3NXxWSVp8REFTSEJPQVJEfGRhOjI3NzgzNg"
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change. The value is unchanged.
      ~ json       = (sensitive value)
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 6 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

@github-actions
Copy link

Forest: Mainnet Infrastructure Plan: success

Show Plan 
module.mainnet.data.digitalocean_ssh_keys.keys: Reading...
module.mainnet.data.digitalocean_project.forest_project: Reading...
module.mainnet.data.digitalocean_ssh_keys.keys: Read complete after 1s [id=ssh_keys/14512061520513425405]
module.mainnet.digitalocean_droplet.forest: Refreshing state... [id=379938230]
module.mainnet.digitalocean_firewall.forest_firewall: Refreshing state... [id=f061834f-f10c-402c-88d5-b27cb7e491f4]
module.mainnet.data.digitalocean_project.forest_project: Read complete after 2s [id=da5e6601-7fd9-4d02-951e-390f7feb3411]
module.mainnet.digitalocean_project_resources.connect_forest_project: Refreshing state... [id=da5e6601-7fd9-4d02-951e-390f7feb3411]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.mainnet.digitalocean_droplet.forest will be updated in-place
  ~ resource "digitalocean_droplet" "forest" {
        id                   = "379938230"
        name                 = "forest-mainnet"
        tags                 = [
            "mainnet",
        ]
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change. The value is unchanged.
      ~ user_data            = (sensitive value)
        # (23 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

@ruseinov ruseinov enabled auto-merge (squash) October 23, 2023 09:43
@ruseinov ruseinov merged commit 0702313 into main Oct 23, 2023
8 checks passed
@github-actions
Copy link

Forest: Sync Check Service Infrastructure Plan: success

Show Plan 
module.sync_check.data.local_file.init: Reading...
module.sync_check.data.external.sources_tar: Reading...
module.sync_check.data.local_file.init: Read complete after 0s [id=501f0297b57db69c50eea6520e305a4faf9e058c]
module.sync_check.data.external.sources_tar: Read complete after 0s [id=-]
module.sync_check.data.digitalocean_project.forest_project: Reading...
module.sync_check.data.digitalocean_ssh_keys.keys: Reading...
module.sync_check.data.local_file.sources: Reading...
module.sync_check.data.local_file.sources: Read complete after 0s [id=3f2b9b8740b7e9ebd96b55c1a1cff3048b5e78af]
module.sync_check.data.digitalocean_ssh_keys.keys: Read complete after 0s [id=ssh_keys/14512061520513425405]
module.sync_check.digitalocean_droplet.forest: Refreshing state... [id=378303761]
module.sync_check.data.digitalocean_project.forest_project: Read complete after 1s [id=da5e6601-7fd9-4d02-951e-390f7feb3411]
module.sync_check.digitalocean_project_resources.connect_forest_project: Refreshing state... [id=da5e6601-7fd9-4d02-951e-390f7feb3411]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.sync_check.digitalocean_droplet.forest will be updated in-place
  ~ resource "digitalocean_droplet" "forest" {
        id                   = "378303761"
        name                 = "forest-sync-check"
        tags                 = [
            "iac",
        ]
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change. The value is unchanged.
      ~ user_data            = (sensitive value)
        # (23 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

@github-actions
Copy link

Forest: Calibnet Infrastructure Plan: success

Show Plan 
module.calibnet.data.digitalocean_ssh_keys.keys: Reading...
module.calibnet.data.digitalocean_project.forest_project: Reading...
module.calibnet.data.digitalocean_ssh_keys.keys: Read complete after 0s [id=ssh_keys/14512061520513425405]
module.calibnet.digitalocean_droplet.forest: Refreshing state... [id=379939055]
module.calibnet.digitalocean_firewall.forest_firewall: Refreshing state... [id=179cfbb1-b532-4d06-bce7-334ec185ea3d]
module.calibnet.data.digitalocean_project.forest_project: Read complete after 1s [id=da5e6601-7fd9-4d02-951e-390f7feb3411]
module.calibnet.digitalocean_project_resources.connect_forest_project: Refreshing state... [id=da5e6601-7fd9-4d02-951e-390f7feb3411]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.calibnet.digitalocean_droplet.forest will be updated in-place
  ~ resource "digitalocean_droplet" "forest" {
        id                   = "379939055"
        name                 = "forest-calibnet"
        tags                 = [
            "calibnet",
        ]
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change. The value is unchanged.
      ~ user_data            = (sensitive value)
        # (23 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

@LesnyRumcajs LesnyRumcajs deleted the mark-secrets-as-sensitive branch January 22, 2024 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lemmih lemmih lemmih approved these changes

@ruseinov ruseinov ruseinov approved these changes

@hanabi1224 hanabi1224 Awaiting requested review from hanabi1224 hanabi1224 is a code owner automatically assigned from ChainSafe/forest

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LesnyRumcajs @ruseinov @lemmih