Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Terragrunt is missing sensitive argument for some outputs #1

Open
kayahk opened this issue Dec 11, 2023 · 2 comments
Open

[BUG] Terragrunt is missing sensitive argument for some outputs #1

kayahk opened this issue Dec 11, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@kayahk
Copy link

kayahk commented Dec 11, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.5.7

AzureRM Provider Version

3.61.0

Affected Resource(s)/Data Source(s)

outputs.tf

Terraform Configuration Files

default example
- works with Terraform as expected
- does not work with Terragrunt (error see below)

Debug Output/Panic Output

Error: Output refers to sensitive values
│ 
│   on outputs.tf line 60:
│   60: output "namespace_listen_authorization_rule" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│ 
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│     sensitive = true
╵
╷
│ Error: Output refers to sensitive values
│ 
│   on outputs.tf line 65:
│   65: output "namespace_send_authorization_rule" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│ 
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│     sensitive = true
╵
╷
│ Error: Output refers to sensitive values
│ 
│   on outputs.tf line 70:
│   70: output "namespace_manage_authorization_rule" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│ 
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│     sensitive = true


### Expected Behaviour

the resources including outputs should get created without issues.

### Actual Behaviour

The apply is failing due to the above shown outputs not having the argument `sensitive = true` if the module is called with Terragrunt (version 0.53.7). Pure Terraform apply is working as expected. 

### Steps to Reproduce

- create terragrunt.hcl with default inputs
- `terragrunt apply`

### Important Factoids

_No response_

### References

_No response_
@kayahk kayahk added the bug Something isn't working label Dec 11, 2023
@kayahk kayahk changed the title [BUG] missing sensitive argument for some outputs [BUG] Terragrunt is missing sensitive argument for some outputs Dec 11, 2023
@Shr3ps
Copy link
Member

Shr3ps commented Dec 12, 2023

Hello,

Can you provide the terragrunt.hcl file you created?

@kayahk
Copy link
Author

kayahk commented Dec 12, 2023
edited
Loading

this is the _envcommon/eventhub.hcl file for shared parameters:

# ---------------------------------------------------------------------------------------------------------------------
# COMMON TERRAGRUNT CONFIGURATION
# This is the common component configuration for event hub. The common variables for each environment to
# deploy event hub are defined here. This configuration will be merged into the environment configuration
# via an include block.
# ---------------------------------------------------------------------------------------------------------------------

# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
# working directory, into a temporary folder, and execute your Terraform commands in that folder. If any environment
# needs to deploy a different module version, it should redefine this block with a different ref to override the
# deployed version.

terraform {
  source = "${local.base_source_url}?version=7.3.0"
}

dependency "github" {
  config_path  = "${get_repo_root()}/stacks/shared/github"
  skip_outputs = true
}

dependency "vnet" {
  config_path = "${get_repo_root()}/stacks/${local.environment}/vnet"
  mock_outputs = {
    vnet_subnets_name_id = {
      subnet3-sus-devops-dev-germanywestcentral = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.Network/virtualNetworks/virtualNetworksValue/subnets/subnetValue"
    }
  }
}

dependency "logs" {
  config_path = "${get_repo_root()}/stacks/shared/logs-workspace"
  mock_outputs = {
    logs_storage_account_id    = "someid",
    log_analytics_workspace_id = "someid"
  }
}

# ---------------------------------------------------------------------------------------------------------------------
# Locals are named constants that are reusable within the configuration.
# ---------------------------------------------------------------------------------------------------------------------
locals {
  base_source_url = "tfr:///claranet/eventhub/azurerm"
  # Automatically load environment-level variables
  project_vars      = read_terragrunt_config(find_in_parent_folders("project.hcl"))
  environment_vars  = read_terragrunt_config(find_in_parent_folders("environment.hcl"))
  subscription_vars = read_terragrunt_config(find_in_parent_folders("subscription.hcl"))

  # Extract out common variables for reuse
  environment = local.environment_vars.locals.environment
  vnet_cidr   = local.environment_vars.locals.vnet_cidr
  location    = local.project_vars.locals.location
  project     = local.project_vars.locals.project
  postfix     = "${local.project}-${local.environment}-${local.location}"
}

# ---------------------------------------------------------------------------------------------------------------------
# MODULE PARAMETERS
# These are the variables we have to pass in to use the module. This defines the parameters that are common across all
# environments.
# ---------------------------------------------------------------------------------------------------------------------
inputs = {
  client_name           = "sus"
  environment           = local.environment
  location              = local.location
  location_short        = local.location
  resource_group_name   = "rg-${local.postfix}"
  stack                 = ""
  allowed_cidrs         = [local.vnet_cidr]
  allowed_subnet_ids    = formatlist("%s", values(dependency.vnet.outputs.vnet_subnets_name_id))
  hubs_parameters       = {}
  custom_namespace_name = "ehn-${local.postfix}"
  namespace_parameters  = {}
  logs_destinations_ids = [
    dependency.logs.outputs.logs_storage_account_name,
    dependency.logs.outputs.log_analytics_workspace_id
  ]
}

generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
provider "azurerm" {
  use_oidc = true
  features {}
}
EOF
}

generate "versions" {
  path      = "versions.tf"
  if_exists = "overwrite"
  contents  = <<EOF
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.84.0"
    }
    azurecaf = {
      source  = "aztfmod/azurecaf"
      version = "~> 1.2.26"
    }
  }
}
EOF
}

and this is the environment specific stack file to orchestrate resources terragrunt.hcl:

# ---------------------------------------------------------------------------------------------------------------------
# TERRAGRUNT CONFIGURATION
# This is the configuration for Terragrunt, a thin wrapper for Terraform that helps keep your code DRY and
# maintainable: https://github.com/gruntwork-io/terragrunt
# ---------------------------------------------------------------------------------------------------------------------

# We override the terraform block source attribute here just for the shared environment to show how you would deploy a
# different version of the module in a specific environment.
terraform {
  source = "${include.envcommon.locals.base_source_url}?version=7.3.0"
}

# ---------------------------------------------------------------------------------------------------------------------
# Include configurations that are common used across multiple environments.
# ---------------------------------------------------------------------------------------------------------------------

# Include the envcommon configuration for the component. The envcommon configuration contains settings that are common
# for the component across all environments.
include "envcommon" {
  path   = "${get_repo_root()}/stacks/_envcommon/eventhub.hcl"
  expose = true
}

# ---------------------------------------------------------------------------------------------------------------------
# Override parameters for this environment
# see https://registry.terraform.io/modules/claranet/eventhub/azurerm/latest?tab=inputs for detailed input description
inputs {}

thanks @Shr3ps, I appreciate your efforts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shr3ps @kayahk