Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_cloudformation_stack outputs disappear when using sensitive parameters #33327

Closed
medains opened this issue Sep 6, 2023 · 3 comments · Fixed by #33969
Closed

[Bug]: aws_cloudformation_stack outputs disappear when using sensitive parameters #33327

medains opened this issue Sep 6, 2023 · 3 comments · Fixed by #33969
Assignees
@johnsonaj
Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Milestone
v5.22.0

Comments

@medains
Copy link

medains commented Sep 6, 2023
edited
Loading

Terraform Core Version

1.5.6

AWS Provider Version

5.13.0,5.14.0,5.15.0

Affected Resource(s)

  • aws_cloudformation_stack

Expected Behavior

Apply with no error.

Actual Behavior

Error during apply.

Relevant Error/Panic Output Snippet

Error: Missing map element

   on main.tf line 64, in output "test":
   64:   value = aws_cloudformation_stack.test_stack.outputs.arn
     ├────────────────
     │ aws_cloudformation_stack.test_stack.outputs is empty map of string

 This map does not have an element with the key "arn".

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      version = "=5.13.0"
    }
  }
}
provider "aws" {
  region = "eu-west-2"
}

locals {
  minimal_stack = {
      Parameters = {
        PolicySid = {
          Type = "String"
          Default = "testSid"
          Description = "Sid for IAM policy statement"
        }
      }
      Resources = {
        myGroup = {
          Type = "AWS::IAM::Group"
        }
        myPolicy = {
          Type = "AWS::IAM::Policy"
          Properties = {
            PolicyName = "TestPolicy"
            PolicyDocument = {
              Statement = [{
                Sid = { Ref = "PolicySid" }
                Effect = "Allow",
                Action = "cloudformation:Get*",
                Resource = "*"
              }]
            }
            Groups = [{ Ref = "myGroup" }]
          }
        }
      }
      Outputs = {
        arn = {
          Value = { Ref = "myPolicy" }
          Description = "Policy"
        }
      }
  }
}

data "local_sensitive_file" "test" {
  filename = "${path.module}/sensitive_content.txt"
}

resource "aws_cloudformation_stack" "test_stack" {
    name = "TestStack"
    template_body =  jsonencode(local.minimal_stack)
    parameters = {
      PolicySid = data.local_sensitive_file.test.content
    }
    capabilities  = ["CAPABILITY_NAMED_IAM"]
}

output "test" {
  value = aws_cloudformation_stack.test_stack.outputs.arn
}

Steps to Reproduce

  • echo "somevalue" > sensitive_content.txt
  • terraform apply
    Should apply cleanly
  • terraform apply
    There will show an "update in place" to the cloudformation stack due to the sensitive parameter. But the cloudformation stack doesn't actually change, and has an empty output map.

Debug Output

No response

Panic Output

No response

Important Factoids

I've cut this down to use a sensitive file as the source of sensitive data, but it would equally apply to secrets read from SSM or some other sensitive source (random_secret or anything like that)

References

This is possibly a side-effect from the change in #33059
Pinning to 5.12.0 is a workaround for the moment.

Would you like to implement a fix?

No
@medains medains added the bug Addresses a defect in current functionality. label Sep 6, 2023
@github-actions github-actions bot added the service/cloudformation Issues and PRs that pertain to the cloudformation service. label Sep 6, 2023
@github-actions
Copy link

github-actions bot commented Sep 6, 2023

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 6, 2023
@justinretzolk justinretzolk added prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 6, 2023
@johnsonaj johnsonaj self-assigned this Oct 16, 2023
@johnsonaj johnsonaj mentioned this issue Oct 17, 2023
Merged
@github-actions github-actions bot added this to the v5.22.0 milestone Oct 17, 2023
@github-actions github-actions bot removed the bug Addresses a defect in current functionality. label Oct 20, 2023
@github-actions
Copy link

This functionality has been released in v5.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2023
@justinretzolk justinretzolk added the bug Addresses a defect in current functionality. label Feb 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@johnsonaj johnsonaj

Labels
bug Addresses a defect in current functionality. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Projects
None yet
Milestone
v5.22.0
Development

Successfully merging a pull request may close this issue.

r/aws_cloudformation_stack: Set computed fields correctly hashicorp/terraform-provider-aws
3 participants
@medains @johnsonaj @justinretzolk