Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduction of password {} block in v2.53.0 for azuread_application forces sensitive = true on output even when not utilized #1421

Closed
philmph opened this issue Jun 28, 2024 · 3 comments · Fixed by #1422

Comments

@philmph
Copy link

philmph commented Jun 28, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Running on Terraform Cloud hosted runner

Terraform v1.8.5
on linux_amd64

Updating via Renovate Bot chore(deps): update terraform azuread to v2.53.0:

Package Type Update Change
azuread (source) required_provider minor 2.52.0 -> 2.53.0

Affected Resource(s)

  • azuread_application

Terraform Configuration Files

I am running a module which deploys apps + spns + secrets. The module is called by different environments with the respective root module. The azuread_application does NOT utilize the new password block.

variables.tf

variable "service_principals" {
  description = "The Service Principals to create."
  type = map(object({
    create_password = optional(bool, false)
    display_name    = string
    description     = string

    required_resource_access = optional(list(object({
      resource_app_id = string
      resource_access = list(object({
        id   = string
        type = string
      }))
    })), [])
  }))
}

main.tf

resource "azuread_application" "this" {
  for_each = var.service_principals

  display_name = each.value.display_name
  description  = each.value.description

  owners = local.owners

  # Required resource access
  dynamic "required_resource_access" {
    # for_each = each.value.required_resource_access
    for_each = { for i, o in each.value.required_resource_access : o.resource_app_id => o }

    content {
      resource_app_id = required_resource_access.value.resource_app_id

      dynamic "resource_access" {
        for_each = { for i, o in required_resource_access.value.resource_access : o.id => o }

        content {
          id   = resource_access.value.id
          type = resource_access.value.type
        }
      }
    }
  }
}

locals {
  azuread_applications_with_password = {
    for k, v in azuread_application.this : k => v if var.service_principals[k].create_password
  }
}

resource "azuread_application_password" "this" {
  for_each = local.azuread_applications_with_password

  application_id = each.value.id
  display_name   = "Managed by Terraform"
}

...

azuread_application_password is NOT a defined output (the module also handles directly adding the secret to f.e. Key Vault and TFE Workspaces without human interaction but i omitted the code as it is not relevant)

outputs.tf

output "applications" {
  description = "Relevant infos of generated Application Registrations."
  value       = azuread_application.this
}

Debug Output

Only relevant part from the root module calling the module using the azuread_application resource without password block:

{"@level":"error","@message":"Error: Output refers to sensitive values","@module":"terraform.ui","@timestamp":"2024-06-28T09:24:18.003275Z","diagnostic":{"severity":"error","summary":"Output refers to sensitive values","detail":"To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output containing sensitive data be explicitly marked as sensitive, to confirm your intent.\n\nIf you do intend to export this data, annotate the output value as sensitive by adding the following argument:\n    sensitive = true","range":{"filename":"outputs.tf","start":{"line":1,"column":1,"byte":0},"end":{"line":1,"column":36,"byte":35}},"snippet":{"context":null,"code":"output \"managed_entraid_identities\" {","start_line":1,"highlight_start_offset":0,"highlight_end_offset":35,"values":[]}},"type":"diagnostic"}

Human readable (hopefully)

Error: Output refers to sensitive values
on outputs.tf line 1:
output "managed_entraid_identities" {
To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output containing sensitive data be explicitly marked as sensitive, to confirm your intent.

If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
sensitive = true

Panic Output

Expected Behavior

Terraform doesn't force me to chain sensitive = true for existing deployments which don't use the password block in resource azuread_application.

Actual Behavior

Run exists with 1 because output is not marked as sensitive = true while not using the new password block.

Steps to Reproduce

  1. Upgrade from v.2.52.0 to v2.53.0
  2. Run terraform plan

Important Factoids

References

@manicminer
Copy link
Contributor

Thanks for reporting this @philmph, we should have a fix out for this shortly.

@manicminer
Copy link
Contributor

@philmph Appreciate the detailed report. A patch release v2.53.1 is on its way out and should be available shortly.

@philmph
Copy link
Author

philmph commented Jun 28, 2024

Thanks @manicminer for the immediate response and fix - No more issues after Renovate update to v2.53.1 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants