Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using a sensitive client_secret results in an error when using Terraform 1.10 #628

Open
1 task done
paulblum00 opened this issue Jan 14, 2025 · 0 comments
Open
1 task done

Using a sensitive client_secret results in an error when using Terraform 1.10 #628

paulblum00 opened this issue Jan 14, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@paulblum00
Copy link

paulblum00 commented Jan 14, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Greenfield/Brownfield provisioning

greenfield

Terraform Version

1.10.4

Module Version

9.3.0

AzureRM Provider Version

3.117

Affected Resource(s)/Data Source(s)

azurerm_role_assignment.network_contributor

Terraform Configuration Files

resource "azurerm_resource_group" "this" {
  name     = "test"
  location = "germanywestcentral"
}

resource "azuread_application" "this" {
  display_name = "test-app"
}

resource "azuread_application_password" "this" {
  application_id = azuread_application.this.id
  display_name   = "test-pw"
}

module "aks" {
  source                          = "Azure/aks/azurerm"
  version                         = "9.3.0"
  resource_group_name             = azurerm_resource_group.this.name
  log_analytics_workspace_enabled = false
  cluster_name                    = var.cluster_name
  prefix                          = var.prefix
  client_id                       = azuread_application.this.client_id
  client_secret                   = azuread_application_password.this.value
  rbac_aad                        = false
}

tfvars variables values

cluster_name = "testcluster"
prefix.      = "testprefix"

Debug Output/Panic Output

╷
│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/aks/role_assignments.tf line 25, in resource "azurerm_role_assignment" "network_contributor":
│   25:   for_each = var.create_role_assignment_network_contributor && (var.client_id == "" || var.client_secret == "") ? local.subnet_ids : []
│     ├────────────────
│     │ local.subnet_ids is empty set of dynamic
│     │ var.client_id is "cefe3104-8d58-43b9-b08c-1e3bda686b84"
│     │ var.client_secret has a sensitive value
│     │ var.create_role_assignment_network_contributor is false
│ 
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.
╵

Expected Behaviour

The usage of a sensitive value for client_secret should not result in an error.

Actual Behaviour

Terraform returns an error.

Steps to Reproduce

  • terraform plan
  • terraform apply

Important Factoids

No response

References

According to this article, we just have to add the nonsensitive function around the value here:

This shouldn't result in any loss of safety, as the sensitive value is only used as a condition. I've created a PR for this:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Azure Module Kanban
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulblum00