Sensitive outputs

[sebastianmacarescu]

Describe the Bug

When running terragrunt apply:

Error: Output refers to sensitive values
│
│   on outputs.tf line 46:
│   46: output "cf_origin_ids" {
│
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│     sensitive = true

Expected Behavior

Terragrunt apply works

Steps to Reproduce

I use the following options:

  website_enabled                    = true
  s3_website_password_enabled        = true
  versioning_enabled                 = true
  block_origin_public_access_enabled = true
  allow_ssl_requests_only            = false # https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/issues/175

  cloudfront_access_log_create_bucket = false
  cloudfront_access_log_bucket_name = dependency.logging_bucket.outputs.s3_bucket_id`

Environment (please complete the following information):

Module version: 0.74.3
Terraform version:

λ terraform -v
Terraform v1.0.0
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v3.55.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

[nitrocode]

Can you share the full hcl of your cloudformation so we can test this out ?

[sebastianmacarescu]

# Deploy dashboard-v2.mydomain.com

locals {
  # Automatically load environment level variables
  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))

  # Extract out common variables for reuse
  environment  = local.environment_vars.locals.environment

  base_domain_name = "${local.environment}.mydomain.com"
}

# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
# working directory, into a temporary folder, and execute your Terraform commands in that folder.
terraform {
  source = "git::https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn//?ref=0.74.3"

}

dependency "acm_mydomain" {
  config_path = "../acm/mydomain.com"
  mock_outputs = {
    acm_certificate_arn = "mock"
  }
  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
}

dependency "logging_bucket" {
  config_path = "../logs-s3-bucket"
  mock_outputs = {
    s3_bucket_id = "logs"
  }
  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
}

# Include all settings from the root terragrunt.hcl file
include {
  path = find_in_parent_folders()
}

inputs = {
  name = "dashboard-v2"

  dns_alias_enabled = true
  parent_zone_name  = local.base_domain_name
  aliases           = ["dashboard-v2.${local.base_domain_name}"]

  website_enabled                    = true
  s3_website_password_enabled        = true
  versioning_enabled                 = true
  
  # must be false if website_enabled is true https://aws.amazon.com/premiumsupport/knowledge-center/s3-website-cloudfront-error-403/
  block_origin_public_access_enabled = false
  
  # bug in module https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/issues/175
  allow_ssl_requests_only            = false

  cloudfront_access_log_create_bucket = false
  cloudfront_access_log_bucket_name = dependency.logging_bucket.outputs.s3_bucket_id

  minimum_protocol_version = "TLSv1"
  acm_certificate_arn      = dependency.acm_mydomain.outputs.acm_certificate_arn
}

[nitrocode]

Oh interesting it uses terragrunt. Can you show the raw terraform version?

[sebastianmacarescu]

I don't have it in raw terraform but it's pretty easy to do. Just pass those inputs in a tfvars file