Sensitive variables containing multiline values are not hidden in the build output

[aram535]

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

any variables that use the vault() lookup function should be tagged as sensitive automatically.

Use Case(s)

locals {
mypassword = vault('kv/data/password/mypassword)
}

[nywilken]

Hi there @aram535 thanks for reaching out. This is not something that is currently possible given the implementation of sensitive variables and the Vault function. There might be something that we can do here but it does seem like a bit of special case for the Vault function that requires a little thinking. That said, I don't think that this is a feature we will be able to dive further into any time soon.

Instead I recommend using a local block, different from a locals block, which was constructed specifically for this use case.

local "mypassword" {
 expression = vault('kv/data/password/mypassword)
 sensitive  = true
}

One takeaway for this issue is to add an example or two in the Vault function documentation illustrating how to mark a variable sensitive.

Please let me know if the local block works for your use case.

[aram535]

Thanks for that. I just looked at our code repository history and I believe the mistake was that we tried using sensitive inside of a locals block, which didn't work obviously. I'll try switching our variables to individual local blocks and inspect.

[aram535]

Just tried it on my local machine and doing an inspect ... for some reason some of the variables are not being hidden.

I have 4 variables in a locals block, an additional 6 local blocks each with one variable and all marked as sensitive. 5 out of 6 variables are now showing sensitive.

local "access_token" {
  expression = vault("kv/data/packer/${var.environment_name}/foo", "access-token")
  sensitive  = true
}

local "cert_crt" {
  expression = vault("kv/data/packer/${var.environment_name}/cert", "crt")
  sensitive  = true
}

inspect output:

local.access_token: "<sensitive>"
local.cert_crt: "-----BEGIN CERTIFICATE-----\nMIIIczCCBlug....

[nywilken]

Hi @aram535 apologies for the delayed response. Thank you for updating the issue with your latest test results. It looks like we have a bug. I tested locally with a simple heredoc example and validated that local variables containing multiline values do not get hidden when marked as sensitive.

I'm going to apply the bug label to this issue and retitle it to reflect the found issue. In the meantime, the use of a local block is the preferred way for marking values from the vault function as sensitive. I will add an example to the Vault function documentation to illustrate this use case.

If you disagreed with the retitling of this issue please feel free to drop a comment and we can discuss it further. Thanks again!

[c33s]

@nywilken any new on this? shouldn't a security related bug get more attention? soon 2 whole years have passed since the initial report of the bug :(