App Configuration sensitive access keys are not redacted in terraform plan/apply

[anhlqn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform 0.13.4
AzureRM 2.30.0

Affected Resource(s)

• azurerm_app_configuration

Terraform Configuration Files

resource "azurerm_app_configuration" "appc" {
  name                = "test-appc"
  resource_group_name = "test-rg"
  location            = "westus

  sku = "standard"
}

Debug Output

Panic Output

Expected Behavior

terraform plan should redact sensitive App Configuration attributes with (sensitive value) like it does with other resources like storage accounts

resource "azurerm_app_configuration" "appc" {
    endpoint            = redacted
    id                  = redacted
    location            = "westus"
    name                = redacted
    primary_read_key    = [
        {
            connection_string = redacted
            id                = redacted
            secret            = (sensitive value)
        },
    ]
    primary_write_key   = [
        {
            connection_string = redacted
            id                = redacted
            secret            = (sensitive value)
        },
    ]
    resource_group_name = redacted
    secondary_read_key  = [
        {
            connection_string = redacted
            id                = redacted
            secret            = (sensitive value)
        },
    ]
    secondary_write_key = [
        {
            connection_string = redacted
            id                = redacted
            secret            = (sensitive value)
        },
    ]
    sku                 = "standard"
}

A sample from a storage account terraform plan

primary_access_key             = (sensitive value)
primary_blob_connection_string = (sensitive value)

Actual Behavior

terraform plan outputs all the raw access keys to the shell

resource "azurerm_app_configuration" "appc" {
    endpoint            = redacted
    id                  = redacted
    location            = "westus"
    name                = redacted
    primary_read_key    = [
        {
            connection_string = redacted
            id                = redacted
            secret            = <raw secret value from the resource>
        },
    ]
    primary_write_key   = [
        {
            connection_string = redacted
            id                = redacted
            secret            = <raw secret value from the resource>
        },
    ]
    resource_group_name = redacted
    secondary_read_key  = [
        {
            connection_string = redacted
            id                = redacted
            secret            = <raw secret value from the resource>
        },
    ]
    secondary_write_key = [
        {
            connection_string = redacted
            id                = redacted
            secret            = <raw secret value from the resource>
        },
    ]
    sku                 = "standard"
}

Steps to Reproduce

1. Create an app configuration with terraform apply
2. Change an attribute like a tag and run terraform plan or terraform apply
3. The output will include the access key values

Important Factoids

References

[tombuildsstuff]

hey @anhlqn

Thanks for opening this issue.

Taking a look through here unfortunately this is a regression in the Terraform Plugin SDK regarding sensitive values in nested blocks, where if the entire block is sensitive this works, however if one field (such as the id in this case, which isn't a sensitive value) is not sensitive then the entire block isn't treated as sensitive.

There's a bug open tracking this on the Terraform Plugin SDK repository - as such whilst this issue is exposed in the Azure Provider since this'll ultimately be fixed in the Terraform Plugin SDK I'm going to close this issue for the moment, but once that's fixed in the Plugin SDK we can look to vendor that in which'll fix this here.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!