vcd_cse_kubernetes_cluster: kubeconfig not sensitive variable

[langenoja]

Hello,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved
for bug reports and feature requests. For general usage questions, please see:
https://www.terraform.io/community.html.

Terraform Version

v1.5.7

vcd v3.12.1

Affected Resource(s)

• vcd_cse_kubernetes_cluster

Terraform Configuration Files

N/A

Debug Output

N/A

Panic Output

N/A

Expected Behavior

1. Variable kubeconfig is flagged as a sensitive variable and is masked by terraform

Actual Behavior

1. terraform plan on a cluster to be destroyed output the admin kubeconfig variable

Steps to Reproduce

1. Rename cluster
2. Run terraform plan

User Access rights

N/A

Important Factoids

We are running terraform in pipelines in Gitlab so that we don't have to expose our API keys to users (gitops). However, due to this issue, anyone with access to the repository could just make an MR/PR destroying the cluster, run the pipeline which plans the destruction, and obtain the kubeconfig that provides full admin access to it.

References

N/A

[adambarreiro]

Hi @langenoja,

Thanks for reporting, I'll be working on this on #1266

[adambarreiro]

This is now fixed in the main branch, ready to go for the next release.

Would you like to try it out, you can clone the repo and build/install the provider with make install.

Feedback would be great 🙂

[langenoja]

Awesome, I'll have to wait until it is in the next release until testing however!