Codepipeline OAuthToken property inside source configuration should be sensitive

[manemarron]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.22.0

Affected Resource(s)

• aws_codepipeline

Terraform Configuration Files

resource "aws_codepipeline" "pipeline" {
  # ...
  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "ThirdParty"
      provider         = "GitHub"
      version          = "1"
      output_artifacts = ["code"]

      configuration {
        Owner                = "owner"
        Repo                 = "repo"
        Branch               = "master"
        PollForSourceChanges = false
        OAuthToken           = "<REDACTED>"
      }
    }
  }
}

Expected Behavior

stage.0.action.0.configuration.OAuthToken should appear as sensitive in terraform plan and apply

Actual Behavior

stage.0.action.0.configuration.OAuthToken value is shown in plan and apply.

Steps to Reproduce

1. terraform plan -out=plan
2. terraform apply plan

References

• Bug: OAuthToken should appear as <sensitive> in plan/apply output #4261 : Related to this issue, but for codepipeline

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[fishfacemcgee]

@gdavison @bflad PR #14175 claims to fix this issue, but as far as I can tell, nothing has changed with the GitHub OAuth Token being treated as sensitive in that PR. A change was made to make the whole block sensitive but was later reverted.

Can you clarify how this issue is supposed to be fixed and/or what I've missed?

[fishfacemcgee]

Alternatively, if any advice could be provided around using ignore_changes to limit handling around the OAuth token exclusively, that'd at least be a good workaround. Right now, we have to ignore the whole configuration block, which means changing branch and the like has to be done by hand.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!