Environment variable values should be sensitive only when write_only is enabled #517
Comments
|
I have a similar request for |
|
Thanks for raising this @atorrescogollo and @lorengordon ! Sadly, this is a limitation of the Terraform provider SDK - as you can see here, there is no way that the sensitivity of the "value" field can be conditional on some other variable. Thus, the only way to show plaintext variables in the logs, and not show the secrets, would be to have two separate resources for environment variables (eg. |
|
Thanks @marcinwyszynski . That makes sense. It also might be worth noting that there is a terraform-plugin-sdk issue opened: I'm personally ok with having the additional plaintext resource since seeing the variables in the plan is quite critical in most of the cases. They are the actual inputs to the stack and most of them won't be secrets. In the end, that will probably go inside a module anyway so you can create one resource or the other depending on the |
|
Fair, I'll mark it as a nice starter task for one of our new devs. |
Since the environment variable value is marked always as sensitive, you are not able to see the actual value in the plan. And, especially when you're passing complex data or doing more than just passing a primitive value (e.g.: interpolation from other variables), it can be very hard to debug.
I think it should be marked as sensitive only when write_only is enabled. That will be more coherent to the Spacelift UI since there you can see any env var value that is not marked as write_only.
The text was updated successfully, but these errors were encountered: