Skip to content

Instantly share code, notes, and snippets.

@jamiejackson

jamiejackson/README.md

Last active May 22, 2023 08:32
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jamiejackson/477c697596d7567d2131ae20d78227fa to your computer and use it in GitHub Desktop.
Save jamiejackson/477c697596d7567d2131ae20d78227fa to your computer and use it in GitHub Desktop.
Download ZIP
Terraform Masks Changes Even to Resources/Blocks that Don't Have Sensitive Information
Raw
README.md

I believe this applies to other resource/block types, but once you add a sensitive value to any aws_cloudfront_distribution's origin blocks. Changes to any aws_cloudfront_distribution's origin block will be masked in terraform plan output.

This hides important diff information from me.

Steps to reproduce:

  1. Spin up a CloudFront distribution using these tf files, in their stock state.
  2. Make a change to the origin_b_nonsensitive origin; e.g., change its origin_read_timeout to 59
  3. terraform plan will show you the diff. Hooray! Happy day!
  4. Use line 3 instead of line 2 to use a sensitive value (which gets used by origin_a_sensitive)
  5. terraform plan again, but this time, the change you made to the non-sensitive block will not show diffs.

Not only is this behavior restricted to this aws_cloudfront_distribution resource, you'll never see another diff for any origin in any CloudFront distribution in the same Terraform project. :-(

Raw
main.tf
locals {
this_secret_is_retrieved_from_parameter_store_irl = "so_secret"
# this_secret_is_retrieved_from_parameter_store_irl = sensitive("so_secret")
origin_ssl_protocols = ["TLSv1.2"]
}
resource "aws_cloudfront_distribution" "repro_distro" {
comment = "temporary repro case to get help with terraform masking of sensitive info"
enabled = false
origin {
domain_name = "example.com"
origin_id = "origin_a_sensitive"
custom_header {
name = "x-auth-token"
value = local.this_secret_is_retrieved_from_parameter_store_irl
}
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "match-viewer"
origin_read_timeout = 60
origin_ssl_protocols = local.origin_ssl_protocols
}
}
origin {
domain_name = "example.com"
origin_id = "origin_b_nonsensitive"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "match-viewer"
# you can use an arbitrary value change here as the change to deploy
origin_read_timeout = 60
origin_ssl_protocols = local.origin_ssl_protocols
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "origin_b_nonsensitive"
viewer_protocol_policy = "allow-all"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
Raw
versions.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.22.0"
}
}
required_version = "1.2.7"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment