[WIP] Support "hiding" ignored parameters from state. #7237
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a lifecycle flag "hide_ignored" to remove "ignored" resource
parameters from the final state. While definitely not perfect, this
kind of simple solution should make it possible to prevent sensitive
from being written to tfstate.
"hide_ignored" uses "ignore_changes" list since it does not make sense
to omit non-ignored prameters from state file as it would break terraform
flow.
Fixes #516
The work is not complete yet as it has no tests and documentation. What is more, probably parameter name could be better as well, I'm open to suggestions.
I would just like to hear from development team if you would accept this kind of solution and I should pursue to improve it (won't take long) or just drop the idea. While definitely not perfect, this patch is kind of simple, the flag is opt-in and I think it would be useful for many users out there (me included) as passwords in the state file pose a huge security problem. For example, I can encrypt terraform.tfvars myself to store it securely but I basically have no control of how terraform.tfstate gets stored remotely.