[WIP] Support "hiding" ignored parameters from state. #7237
Conversation
Add a lifecycle flag "hide_ignored" to remove "ignored" resource parameters from the final state. While definitely not perfect, this kind of simple solution should make it possible to prevent sensitive from being written to tfstate. "hide_ignored" uses "ignore_changes" list since it does not make sense to omit non-ignored prameters from state file as it would break terraform flow. Fixes hashicorp#516
|
Hi @modax What is the current status of this PR? IS this something you want to proceed with? Paul |
stack72
added
the
waiting-response
|
Hi @stack72, I still think this approach is not a bad idea (because currently there are no other options) and I'm willing to work on finishing it (if you approve it makes sense). However there is one limitation I noticed that when the "hide_ignored" flag gets removed, the parameter is treated as new and hence might trigger recreation of some resources. |
|
Hi We see your WIP hasn't had any activity for over 28 days, so we're going to close it. We're still interested in taking a look so if it is ready for review/merge, please reopen it. Thank you! Paul |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Add a lifecycle flag "hide_ignored" to remove "ignored" resource
parameters from the final state. While definitely not perfect, this
kind of simple solution should make it possible to prevent sensitive
from being written to tfstate.
"hide_ignored" uses "ignore_changes" list since it does not make sense
to omit non-ignored prameters from state file as it would break terraform
flow.
Fixes #516
The work is not complete yet as it has no tests and documentation. What is more, probably parameter name could be better as well, I'm open to suggestions.
I would just like to hear from development team if you would accept this kind of solution and I should pursue to improve it (won't take long) or just drop the idea. While definitely not perfect, this patch is kind of simple, the flag is opt-in and I think it would be useful for many users out there (me included) as passwords in the state file pose a huge security problem. For example, I can encrypt terraform.tfvars myself to store it securely but I basically have no control of how terraform.tfstate gets stored remotely.