Fix: read workspace state version outputs for sensitive values #565
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
It was reported (thank you!) that a sensitive value in an output was not being read via tfe_outputs. Investigating the issue, we were originally getting state version outputs via reading a workspace and including outputs. This API call does not include sensitive values.
The fix is to instead read the outputs from the state version itself.
🤔 Question for reviewers: I noticed that in the go-tfe test for StateVersion.ListOutputs, we have a call to wait for the state version outputs. I'm wondering if we need to do something similar here? Any thoughts?
Testing plan
I created a simple example to show the error (based on what was reported in the two issues). Replace
YOUR_ORG_NAME
with the name of the organization you wish to use to test this out. I'm also using tfcdev to run a local tfc to make sure I'm using the version ofterraform-provider-tfe
built from this branch.The first workspace,
uno_workspace
has the following config:The second workspace,
dos_workspace
has the following terraform config:terraform apply
foruno-workspace
terraform plan
fordos-workspace
and you'll see an error:make build
. Update your.terraformrc
to point"hashicorp/tfe"
to the newly-builtterraform-provider-tfe
binary (if it's not in the tfe provider directory, it might be in~/go/bin
).terraform apply
indos_worskpace
and it should work.External links
Output from acceptance tests
Please run applicable acceptance tests locally and include the output here. See TESTS.md to learn how to run acceptance tests.
If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.