Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to eval a variable marked as sensitive #1457

Closed
wata727 opened this issue Jul 29, 2022 · 1 comment · Fixed by #1501
Closed

Failed to eval a variable marked as sensitive #1457

wata727 opened this issue Jul 29, 2022 · 1 comment · Fixed by #1501
Labels
bug

Comments

@wata727
Copy link
Member

wata727 commented Jul 29, 2022
edited
Loading

Introduction

Similar to #1447, An error occurs when a variable marked as sensitive is evaluated.

variable "foo" {
  default = 1
  sensitive = true
}

resource "aws_instance" "foo" {
  instance_type = var.foo
}
Failed to check ruleset; Failed to check `aws_instance_previous_type` rule: value has marks, so it cannot be serialized

Expected Behavior

No error occurs.

However, there is room for consideration as to how to handle the value. This error is about serializing the marked cty.Value, and unmarking it could allow the plugin to disclose sensitive values. It will be necessary to consider whether it is the responsibility of the plugin to handle sensitive values or safety guard should be provided as TFLint.

Actual behavior

Failed to check ruleset; Failed to check `aws_instance_previous_type` rule: value has marks, so it cannot be serialized

Step to Reproduce

  1. Create main.tf
variable "foo" {
  default = 1
  sensitive = true
}

resource "aws_instance" "foo" {
  instance_type = var.foo
}
  1. Create .tflint.hcl
plugin "aws" {
  source = "github.com/terraform-linters/tflint-ruleset-aws"
  version = "0.15.0"
  enabled = true
}
  1. Run tflint --init
  2. Run tflint

Additional Context

% tflint -v
TFLint version 0.38.1
+ ruleset.aws (0.15.0)
% terraform -v
Terraform v1.2.3
on linux_amd64
@wata727 wata727 added the bug label Jul 29, 2022
@wata727 wata727 mentioned this issue Jul 31, 2022
Merged
@wata727 wata727 mentioned this issue Aug 12, 2022
Closed
@bryant-finney
Copy link

bryant-finney commented Sep 3, 2022
edited
Loading

👋 Hello!

I am also experiencing this issue. From my CI job logs:

$ tflint --version
TFLint version 0.39.3
$ tflint --init
Installing `aws` plugin...
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.16.1)
$ tflint --format=junit . >tflint-junit.xml
Failed to check ruleset; Failed to check `aws_secretsmanager_secret_version_invalid_secret_string` rule: value has marks, so it cannot be serialized

As a workaround, I disabled the aws_secretsmanager_secret_version_invalid_secret_string rule (based on the user guide's Configuring TFLint: rule blocks) by adding the following to my .tflint.hcl configuration file:

rule "aws_secretsmanager_secret_version_invalid_secret_string" {
  enabled = false
}

@wata727 wata727 mentioned this issue Sep 4, 2022
Merged
@wata727 wata727 mentioned this issue Oct 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

plugin: Fix an error when evaluating sensitive values terraform-linters/tflint
2 participants
@wata727 @bryant-finney