Terraform Version
Terraform v1.6.4-dev
on darwin_arm64
Your version of Terraform is out of date! The latest version
is 1.6.5. You can update by downloading from https://www.terraform.io/downloads.html
Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
}
}
}
resource vault_generic_secret "test" {
path = "foo/bar/baz"
data_json = jsonencode({
foo = "bar"
null_key = null
})
}
Debug Output
https://gist.github.com/sysedwinistrator/6c146fc3904a266d691330929aafa673
Expected Behavior
sensitive_values should look like this:
"sensitive_values": {
"data": true,
"data_json": true
}According to @alisdair (link to comment), {} does NOT mean the value is sensitive for an object, and only true means that the value sensitive:
For a value to be considered sensitive, there must be a corresponding true value at the appropriate location
Actual Behavior
sensitive_values is incorrect:
data (computed value, apparently only available after apply) should be listed under sensitive_values with value true (instead of {}data_json should also be listed under sensitive_values, with the value being true
JSON Plan:
{
"configuration": {
"provider_config": {
"vault": {
"full_name": "registry.terraform.io/hashicorp/vault",
"name": "vault"
}
},
"root_module": {
"resources": [
{
"address": "vault_generic_secret.test",
"expressions": {
"data_json": {},
"path": {
"constant_value": "foo/bar/baz"
}
},
"mode": "managed",
"name": "test",
"provider_config_key": "vault",
"schema_version": 1,
"type": "vault_generic_secret"
}
]
}
},
"errored": false,
"format_version": "1.2",
"planned_values": {
"root_module": {
"resources": [
{
"address": "vault_generic_secret.test",
"mode": "managed",
"name": "test",
"provider_name": "registry.terraform.io/hashicorp/vault",
"schema_version": 1,
"sensitive_values": {
"data": {}
},
"type": "vault_generic_secret",
"values": {
"data_json": "{\"foo\":\"bar\",\"null_key\":null}",
"delete_all_versions": false,
"disable_read": false,
"namespace": null,
"path": "foo/bar/baz"
}
}
]
}
},
"resource_changes": [
{
"address": "vault_generic_secret.test",
"change": {
"actions": [
"create"
],
"after": {
"data_json": "{\"foo\":\"bar\",\"null_key\":null}",
"delete_all_versions": false,
"disable_read": false,
"namespace": null,
"path": "foo/bar/baz"
},
"after_sensitive": {
"data": true,
"data_json": true
},
"after_unknown": {
"data": true,
"id": true
},
"before": null,
"before_sensitive": false
},
"mode": "managed",
"name": "test",
"provider_name": "registry.terraform.io/hashicorp/vault",
"type": "vault_generic_secret"
}
],
"terraform_version": "1.6.4-dev",
"timestamp": "2023-11-29T14:48:16Z"
}Steps to Reproduce
- terraform init
- terraform plan -out plan.out
- terraform show -json plan.out
Additional Context
I originally encountered this bug inside a larger Terraform codebase that is using Terraform version 1.3.5 and Vault provider version 3.11. There the issue is present for all vault_generic_secret resources, however, since the resources have already been applied, the data value is already known and sensitive_values look different in that case:
"sensitive_values": {
"data": {},
"data_json": true
}References
No response
Terraform Version
Terraform v1.6.4-dev on darwin_arm64 Your version of Terraform is out of date! The latest version is 1.6.5. You can update by downloading from https://www.terraform.io/downloads.htmlTerraform Configuration Files
Debug Output
https://gist.github.com/sysedwinistrator/6c146fc3904a266d691330929aafa673
Expected Behavior
sensitive_valuesshould look like this:According to @alisdair (link to comment),
{}does NOT mean the value is sensitive for an object, and onlytruemeans that the value sensitive:Actual Behavior
sensitive_valuesis incorrect:data(computed value, apparently only available after apply) should be listed undersensitive_valueswith valuetrue(instead of{}data_jsonshould also be listed undersensitive_values, with the value beingtrueJSON Plan:
{ "configuration": { "provider_config": { "vault": { "full_name": "registry.terraform.io/hashicorp/vault", "name": "vault" } }, "root_module": { "resources": [ { "address": "vault_generic_secret.test", "expressions": { "data_json": {}, "path": { "constant_value": "foo/bar/baz" } }, "mode": "managed", "name": "test", "provider_config_key": "vault", "schema_version": 1, "type": "vault_generic_secret" } ] } }, "errored": false, "format_version": "1.2", "planned_values": { "root_module": { "resources": [ { "address": "vault_generic_secret.test", "mode": "managed", "name": "test", "provider_name": "registry.terraform.io/hashicorp/vault", "schema_version": 1, "sensitive_values": { "data": {} }, "type": "vault_generic_secret", "values": { "data_json": "{\"foo\":\"bar\",\"null_key\":null}", "delete_all_versions": false, "disable_read": false, "namespace": null, "path": "foo/bar/baz" } } ] } }, "resource_changes": [ { "address": "vault_generic_secret.test", "change": { "actions": [ "create" ], "after": { "data_json": "{\"foo\":\"bar\",\"null_key\":null}", "delete_all_versions": false, "disable_read": false, "namespace": null, "path": "foo/bar/baz" }, "after_sensitive": { "data": true, "data_json": true }, "after_unknown": { "data": true, "id": true }, "before": null, "before_sensitive": false }, "mode": "managed", "name": "test", "provider_name": "registry.terraform.io/hashicorp/vault", "type": "vault_generic_secret" } ], "terraform_version": "1.6.4-dev", "timestamp": "2023-11-29T14:48:16Z" }Steps to Reproduce
Additional Context
I originally encountered this bug inside a larger Terraform codebase that is using Terraform version 1.3.5 and Vault provider version 3.11. There the issue is present for all
vault_generic_secretresources, however, since the resources have already been applied, thedatavalue is already known and sensitive_values look different in that case:References
No response