fix(infra): use sensitive attribute for all secrets (#5562)

Is there a reason not to mark these `sensitive`? https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
2026-01-27 10:18:54 +00:00 · 2024-06-27 01:13:35 -07:00
parent 58fad7cb2d
commit e82a9506ab
8 changed files with 17 additions and 4 deletions
--- a/terraform/environments/staging/variables.tf
+++ b/terraform/environments/staging/variables.tf
@@ -2,6 +2,7 @@ variable "aws_gateway_token" {
  type        = string
  description = "Firezone Gateway token for AWS gateway"
  default     = null
+  sensitive   = true
 }

 variable "image_tag" {
@@ -15,8 +16,9 @@ variable "metabase_image_tag" {
 }

 variable "relay_token" {
-  type    = string
-  default = null
+  type      = string
+  default   = null
+  sensitive = true
 }

 variable "slack_alerts_channel" {
@@ -28,14 +30,17 @@ variable "slack_alerts_channel" {
 variable "slack_alerts_auth_token" {
  type        = string
  description = "Slack auth token for the infra alerts channel"
+  sensitive   = true
 }

 variable "postmark_server_api_token" {
-  type = string
+  type      = string
+  sensitive = true
 }

 variable "mailgun_server_api_token" {
-  type = string
+  type      = string
+  sensitive = true
 }

 variable "stripe_secret_key" {
--- a/terraform/examples/google-cloud/nat_gateway/variables.tf
+++ b/terraform/examples/google-cloud/nat_gateway/variables.tf
@@ -46,6 +46,7 @@ variable "log_level" {
 variable "token" {
  type        = string
  description = "Gateway token to use for authentication."
+  sensitive   = true
 }

 variable "subnet_cidr" {
--- a/terraform/modules/aws/coredns/variables.tf
+++ b/terraform/modules/aws/coredns/variables.tf
@@ -118,6 +118,7 @@ variable "token" {
  description = "Portal token to use for authentication."
  type        = string
  default     = null
+  sensitive   = true
 }

 variable "vpc_security_group_ids" {
--- a/terraform/modules/aws/gateway/variables.tf
+++ b/terraform/modules/aws/gateway/variables.tf
@@ -141,6 +141,7 @@ variable "token" {
  description = "Portal token to use for authentication."
  type        = string
  default     = null
+  sensitive   = true
 }

 variable "vpc_security_group_ids" {
--- a/terraform/modules/google-cloud/apps/client-monitor/variables.tf
+++ b/terraform/modules/google-cloud/apps/client-monitor/variables.tf
@@ -153,6 +153,7 @@ variable "firezone_token" {
  default = ""

  description = "Firezone token to allow client to connect to portal"
+  sensitive   = true
 }

 variable "firezone_client_log_level" {
--- a/terraform/modules/google-cloud/apps/gateway-region-instance-group/variables.tf
+++ b/terraform/modules/google-cloud/apps/gateway-region-instance-group/variables.tf
@@ -84,6 +84,7 @@ variable "labels" {
 variable "token" {
  type        = string
  description = "Portal token to use for authentication."
+  sensitive   = true
 }

 variable "api_url" {
--- a/terraform/modules/google-cloud/apps/relay/variables.tf
+++ b/terraform/modules/google-cloud/apps/relay/variables.tf
@@ -137,6 +137,7 @@ variable "application_environment_variables" {
 variable "token" {
  type        = string
  description = "Portal token to use for authentication."
+  sensitive   = true
 }

 variable "api_url" {
--- a/terraform/modules/google-cloud/ops/variables.tf
+++ b/terraform/modules/google-cloud/ops/variables.tf
@@ -10,12 +10,14 @@ variable "slack_alerts_channel" {
 variable "slack_alerts_auth_token" {
  type        = string
  description = "Slack auth token for the infra alerts channel"
+  sensitive   = true
 }

 variable "pagerduty_auth_token" {
  type        = string
  description = "Pagerduty auth token for the infra alerts channel"
  default     = null
+  sensitive   = true
 }

 variable "additional_notification_channels" {