Skip to content

When storing PSKs in secrets manager, maybe they should not be in output #7

New issue
New issue
Open
Open
When storing PSKs in secrets manager, maybe they should not be in output#7
Assignees
sblack4
Labels
enhancementNew feature or request
@dslavenskoj-rhythmic

Description

@dslavenskoj-rhythmic
dslavenskoj-rhythmic
opened on Jul 24, 2025

See title; this makes this workable in cases when we're running the module from pipelines, or via terragrunt. Otherwise, we get fun failing plan errors:

14:10:55.757 STDOUT terraform: Plan: 9 to add, 0 to change, 0 to destroy.
14:10:55.757 STDOUT terraform: 
14:10:55.758 STDOUT terraform: Changes to Outputs:
14:10:55.758 STDERR terraform: │ If you do intend to export this data, annotate the output value as
14:10:55.759 STDOUT terraform:   + customer_gateway_bgp_asn                  = "redact"
14:10:55.759 STDERR terraform: │ sensitive by adding the following argument:
14:10:55.759 STDERR terraform: │     sensitive = true
14:10:55.759 STDERR terraform: ╵
14:10:55.759 STDERR terraform: ╷
14:10:55.759 STDOUT terraform:   + customer_gateway_id                       = (known after apply)
14:10:55.759 STDERR terraform: │ Error: Output refers to sensitive values
14:10:55.760 STDERR terraform: │ 
14:10:55.759 STDOUT terraform:   + customer_gateway_ip_address               = "redact"
14:10:55.760 STDERR terraform: │   on outputs.tf line 55:
14:10:55.760 STDERR terraform: │   55: output "vpn_connection_tunnel2_preshared_key" {
14:10:55.760 STDOUT terraform:   + vpn_connection_tunnel1_address            = (known after apply)
14:10:55.760 STDERR terraform: │ 
14:10:55.760 STDOUT terraform:   + vpn_connection_tunnel1_bgp_asn            = (known after apply)
14:10:55.761 STDOUT terraform:   + vpn_connection_tunnel1_cgw_inside_address = (known after apply)
14:10:55.760 STDERR terraform: │ To reduce the risk of accidentally exporting sensitive data that was
14:10:55.761 STDOUT terraform:   + vpn_connection_tunnel1_vgw_inside_address = (known after apply)
14:10:55.761 STDERR terraform: │ intended to be only internal, Terraform requires that any root module
14:10:55.761 STDOUT terraform:   + vpn_connection_tunnel2_address            = (known after apply)
14:10:55.762 STDOUT terraform:   + vpn_connection_tunnel2_bgp_asn            = (known after apply)
14:10:55.762 STDERR terraform: │ output containing sensitive data be explicitly marked as sensitive, to
14:10:55.762 STDOUT terraform:   + vpn_connection_tunnel2_cgw_inside_address = (known after apply)
14:10:55.763 STDERR terraform: │ confirm your intent.
14:10:55.763 STDOUT terraform:   + vpn_connection_tunnel2_vgw_inside_address = (known after apply)
14:10:55.763 STDERR terraform: │ 
14:10:55.763 STDERR terraform: │ If you do intend to export this data, annotate the output value as
14:10:55.763 STDOUT terraform:   + vpn_connection_vpn_gw_id                  = (known after apply)
14:10:55.764 STDOUT terraform: ╷
14:10:55.764 STDERR terraform: │ sensitive by adding the following argument:
14:10:55.765 STDOUT terraform: │ Warning: Attribute Deprecated
14:10:55.765 STDERR terraform: │     sensitive = true
14:10:55.765 STDERR terraform: ╵
14:10:55.765 STDOUT terraform: │ 
14:10:55.765 STDOUT terraform: │   with module.psk1.random_password.random_string[0],
14:10:55.765 STDOUT terraform: │   on .terraform/modules/psk1/main.tf line 11, in resource "random_password" "random_string":
14:10:55.765 STDOUT terraform: │   11:   number           = var.use_number
14:10:55.765 STDOUT terraform: │ 
14:10:55.766 STDOUT terraform: │ **NOTE**: This is deprecated, use `numeric` instead.
14:10:55.766 STDOUT terraform: │ 
14:10:55.766 STDOUT terraform: │ (and one more similar warning elsewhere)
14:10:55.766 STDOUT terraform: ╵
14:10:56.003 ERROR  terraform invocation failed in ./.terragrunt-cache/-QEq5N6884hYMdqydKcg2hFYNqs/jN3bhpgjmK2SiVXME_X4GHtX0pY
14:10:56.004 ERROR  error occurred:

* Failed to execute "terraform plan" in ./.terragrunt-cache/-QEq5N6884hYMdqydKcg2hFYNqs/jN3bhpgjmK2SiVXME_X4GHtX0pY
  ╷
  │ Error: Output refers to sensitive values
  │ 
  │   on outputs.tf line 30:
  │   30: output "vpn_connection_tunnel1_preshared_key" {
  │ 
  │ To reduce the risk of accidentally exporting sensitive data that was
  │ intended to be only internal, Terraform requires that any root module
  │ output containing sensitive data be explicitly marked as sensitive, to
  │ confirm your intent.
  │ 
  │ If you do intend to export this data, annotate the output value as
  │ sensitive by adding the following argument:
  │     sensitive = true
  ╵
  ╷
  │ Error: Output refers to sensitive values
  │ 
  │   on outputs.tf line 55:
  │   55: output "vpn_connection_tunnel2_preshared_key" {
  │ 
  │ To reduce the risk of accidentally exporting sensitive data that was
  │ intended to be only internal, Terraform requires that any root module
  │ output containing sensitive data be explicitly marked as sensitive, to
  │ confirm your intent.
  │ 
  │ If you do intend to export this data, annotate the output value as
  │ sensitive by adding the following argument:
  │     sensitive = true
  ╵
  
  exit status 1

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions