Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Obfuscate secret env vars in tf plan output for apps #554

Closed
pjhampton opened this issue Jan 16, 2021 · 0 comments
Closed

Security: Obfuscate secret env vars in tf plan output for apps #554

pjhampton opened this issue Jan 16, 2021 · 0 comments

Comments

@pjhampton
Copy link

@pjhampton pjhampton commented Jan 16, 2021

Terraform Version

Terraform v0.12.21
+ provider.digitalocean v2.3.0

Affected Resource(s)

  • digitalocean_app

Transistive dependencies

  • digitalocean_database_cluster
  • digitalocean_database_user

Terraform Configuration Files

resource "digitalocean_app" "REDACTED" {
  spec {
    name   = "REDACTED"
    region = "nyc"

    service {
      name               = "www-REDACTED"
      dockerfile_path    = "REDACTED"
      http_port          = 80
      instance_count     = 1
      instance_size_slug = "professional-xs"

      github {
        repo           = "REDACTED"
        branch         = "master"
        deploy_on_push = false
      }

      env {
        key   = "DB_USER"
        value = digitalocean_database_user.REDACTED.password
        type  = "SECRET"
      }

      env {
        key   = "random"
        value = "pete"
        type  = "SECRET"
      }
    }
  }

  depends_on = []
}

Expected Behavior

Secret values should be redacted, replaced or obfuscated.

Actual Behavior

The tf plan is showing the value of an env var that is marked secret:

              + env {
                  + key   = "DB_USER"
                  + scope = "RUN_AND_BUILD_TIME"
                  + type  = "SECRET"
                  + value = "o1xzzxkczq709hp3"
                }
              + env {
                  + key   = "random"
                  + scope = "RUN_AND_BUILD_TIME"
                  + type  = "SECRET"
                  + value = "pete"
                }

I've killed this user and regenerated password for bug reporting purposes.

Steps to Reproduce

  1. Create a digitalocean_database_cluster and digitalocean_database_user resource
  2. Create a digitalocean_app resource and reference the db user in a secret env var
  3. terraform plan

Important Factoids

Because I use an e2e gitops flow for everything in my project leaking secret env vars into Github or the CI would be too much of a security risk for me. By not being able to do this I wouldn't be able to stand an e2e test environment up automatically as the app couldn't reference the database user / pass.

References

hashicorp/terraform#20051 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant