Skip to content

Refactor sensitive manifest handling in Terraform module #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
unitmatrix wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Refactor sensitive manifest handling in Terraform module #374

unitmatrix wants to merge 1 commit into from

Conversation

@unitmatrix
Copy link

@unitmatrix unitmatrix commented Dec 9, 2024

This pull request introduces a new feature that filters sensitive manifests based on their group_kind. The changes include:

  • Creating a local map sensitive_manifests by iterating over the data source manifests and including only those whose group_kind is in the sensitive_group_kinds list.
  • Updating the kustomization_resource resources to use the sensitive_manifests map, falling back to the original manifests if not found in the sensitive map.

Additionally, this change ensures compatibility with Terraform version 1.10.0 and above, where all marks are passed through conditional expressions as per the HCL commit.

This enhancement improves the security and management of manifests by appropriately marking and handling sensitive manifests.

@unitmatrix unitmatrix force-pushed the feature/refactor-sensitive-manifests branch from 5bc949c to aaf54bc Compare December 9, 2024 08:08
refactor sensitive manifest handling in terraform module
199da7d 
fix manifest reference in the loop

fix typo
@unitmatrix unitmatrix force-pushed the feature/refactor-sensitive-manifests branch from aaf54bc to 199da7d Compare December 9, 2024 08:09
pst
pst reviewed Dec 9, 2024
View reviewed changes
Copy link
Member

@pst pst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I am not quite sure though what the benefit is. You "fix" having the conditional 3 times, but as a result loop over all manifests one more time. What am I missing?

@unitmatrix
Copy link
Author

unitmatrix commented Dec 9, 2024

Thank you for your feedback. The main reason behind this pull request is to address a compatibility issue introduced in Terraform version 1.10.0 and above concerning how marks are handled in conditional expressions. Specifically, in the current implementation, an expression like false ? sensitive(var.example) : var.example ends up marking var.example as sensitive regardless of the condition's outcome. This is because Terraform evaluates both the true and false branches under the hood, causing unintended sensitive marking.

The proposed change mitigates this by preemptively filtering and appropriately marking the sensitive manifests. This ensures that only the relevant manifests are marked as sensitive, avoiding the overhead of Terraform's conditional handling of marks in later versions. Although this approach introduces an additional iteration over all manifests, it is necessary to ensure correct behavior with newer versions of Terraform and maintain the security posture by handling sensitive data appropriately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pst pst pst left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@unitmatrix @pst