Description
Issue
Currently the terraform provider does not support encrypted pipeline variables.
This leads to constant drift in which when the TF provider reads the configuration it gets ***** as the variable's value.
To fix this, we can add a lifecycle block:
lifecycle {
ignore_changes = [
spec[0].variables
]
}But any change to the pipeline will now result in all variables being changed to unencrypted, plain-text strings of *****.
And this destructive operation on the variables is not shown in the plan.
Deeper look into why this happens
There is no dedicated API to update specific parts of a pipeline's configuration. It's all wrapped in a single yaml file.
TF will call the read API and get a yaml of the whole pipeline.
This yaml is then decoded into the matching go struct.
When TF is ready to update the configuration, it has to regenerate a yaml file and upload that to codefresh control plane.
The issue is that when TF reads the configuration, it does not pass the 'decryptVariables' flag and thus it gets the ***** in the variables values (if they are encrypted)
TF does not understand the difference between encrypted and non-encrypted and so it puts ***** in the value when it regenerates the yaml to update the config, nor does it know to set the value as an encrypted type.
And because TF is writing the same value it's reading, it does not think there is a drift and thus does not show any changes in the plan.
Solution?
- The provider needs to use the decryptVariabls flag to retrieve the correct value.
- It needs to support setting variables as encrypted or not.
e.g. instead of passing a map of simple k=v, pass in a list of maps.
[
{
key = "variable1"
value = "val1"
encrypted = false (default)
},
{
key = "variable2"
value = "val2"
encrypted = true
}
]- And of course, generate the pipeline configuration yaml accordingly.