SchemaConfigModeAttr as ConfigMode makes Sensitive field show as plain text in log

[mybayern1974]

Terraform Version

0.13.6; 0.14.10

Description

This issue is reported from Azure provider but it seems to be TF core related. More details including TF config files, run output, related source code could refer to the source issue.
A brief summary of the above issue is, when provider resource source code is written as below:

"a": {
  Type:       schema.TypeList,
  Optional:   true,
  ForceNew:   true,
  ConfigMode: schema.SchemaConfigModeAttr,
  Elem: &schema.Resource{
    Schema: map[string]*schema.Schema{
      "b": {
        Type:         schema.TypeString,
        Required:     true,
        ForceNew:     true,
        Sensitive:    true,
        ValidateFunc: validation.StringIsNotEmpty,
      },
    }
  }
}

b always shows up as plain text rather than (sensitive value) in command output. Removing ConfigMode: schema.SchemaConfigModeAttr could solve this problem.

Expected Behavior

Sensitive fields are marked as (sensitive value) in log / cmd-output, which is not impacted by how ConfigMode is set.
or
Any official document is provided to explain the impact of SchemaConfigModeAttr to sensitive fields.

Actual Behavior

Sensitive fields have plain text value shown in log / cmd-output when ConfigMode is set as SchemaConfigModeAttr

References

Refer to the issue reported in the Azure provider.

[mildwonkey]

Hi @mybayern1974 !

This is, unfortunately, a limitation of ConfigModeAttr. When the SDK sends terraform the schema for a resource created with that flag set, it's sent as a regular Attribute with (in your example) type list(object), instead of a Block. Attributes inside a block can be sensitive, but nested attributes inside objects cannot be sensitive. There's an issue for this open with the SDK repository: hashicorp/terraform-plugin-sdk#201

You can see this in action yourself by running terraform providers schema -json.

Here's an example of that output, using your "a" schema above:

{
  "version": 0,
  "block": {
    "attributes": {
      "a": {
        "type": [
          "list",
          [
            "object",
            {
              "b": "string"
            }
          ]
        ],
        "description_kind": "plain",
        "optional": true
      },
      "id": {
        "type": "string",
        "description_kind": "plain",
        "optional": true,
        "computed": true
      }
    },
    "description_kind": "plain"
  }
}

And here is the same schema, minus ConfigModeAttr:

{
  "version": 0,
  "block": {
    "attributes": {
      "id": {
        "type": "string",
        "description_kind": "plain",
        "optional": true,
        "computed": true
      }
    },
    "block_types": {
      "a": {
        "nesting_mode": "list",
        "block": {
          "attributes": {
            "b": {
              "type": "string",
              "description_kind": "plain",
              "required": true,
              "sensitive": true
            }
          },
          "description_kind": "plain"
        }
      }
    },
    "description_kind": "plain"
  }
}

Since there's already an issue open with the SDK, I am going to close this. I hope the additional information is helpful (or at least interesting). Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.