Skip to content

made the user_password section sensitive #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Debarshi11 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

made the user_password section sensitive #490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/mongo_user/default/0.2/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,5 @@ locals {
role = lookup(local.mongo_user, "role", {})

user_name = lookup(local.user, "username", module.unique_name.name)
user_password = lookup(local.user, "password", module.user_password.result)
user_password = sensitive(lookup(local.user, "password", module.user_password.result))
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Security improvement: password is now marked as sensitive.

The sensitive() wrapper correctly prevents the password from appearing in Terraform logs and plan outputs, which is a security best practice.

Verify that downstream code (resources, outputs, or other modules referencing local.user_password) properly handles the sensitive value wrapper. Please confirm:

  • Are there any resources or outputs that use local.user_password that might break with the sensitive annotation?
  • Does the module that provides module.user_password.result also return a sensitive value?

🏁 Script executed:

#!/bin/bash
# Description: Verify downstream usage of user_password in the mongo_user module

# Search for references to user_password in the module directory
echo "=== Searching for user_password references ==="
rg -n "user_password" modules/mongo_user/default/0.2/ --type tf

echo ""
echo "=== Checking for outputs that might expose the sensitive value ==="
rg -n "output.*user_password\|user_password.*output" modules/mongo_user/default/0.2/ --type tf

Length of output: 557


---

🏁 Script executed:

```shell
#!/bin/bash
# Display full context of outputs.tf to understand output structure

echo "=== Full outputs.tf file ==="
cat modules/mongo_user/default/0.2/outputs.tf

echo ""
echo "=== Context around line 22 in main.tf ==="
sed -n '15,30p' modules/mongo_user/default/0.2/main.tf

Length of output: 699

Critical security issue: output "password" exposes the sensitive value.

The sensitive() wrapper on local.user_password does not propagate to outputs in Terraform. The output block at line 15 of outputs.tf must explicitly mark the password output as sensitive:

output "password" {
  value = local.user_password
  sensitive = true
}

Without this, the password will be exposed in terraform output commands and stored unmasked in state. The sensitive() wrapper on the local variable alone is insufficient for protecting output values.

The kubernetes_secret resource usage (main.tf line 22) is safe and properly stores the password as sensitive data.

🤖 Prompt for AI Agents 
In modules/mongo_user/default/0.2/locals.tf around line 14 and outputs.tf at
line 15, the local.user_password is wrapped with sensitive() but the outputs.tf
password output is not marked sensitive; update the outputs.tf password output
block to set sensitive = true so Terraform will mask the value in outputs and
state views, i.e., explicitly add the sensitive = true attribute to the password
output and keep the current value reference to local.user_password.

}
2 changes: 1 addition & 1 deletion modules/mongo_user/default/0.3/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ locals {
user = lookup(local.mongo_user, "user", {})
role = lookup(local.mongo_user, "role", {})
user_name = lookup(local.user, "username", module.unique_name.name)
user_password = lookup(local.user, "password", module.user_password.result)
user_password = sensitive(lookup(local.user, "password", module.user_password.result))
}