Sensitive data inside attribute map


For an OSS project (with public CI/CD), I’m using the cognito_identity_provider resource from the AWS provider.
To configure this resource I have to provide the client_id and the client_secret inside the provider_details attribute, and those informations are not marked as sensitive.

I looked at the code and discovered that provider_details is of type schema.TypeMap which makes impossible to mark client_id and client_secret as sensitive.

Is there any way to secure informations in this case ?

Hi @VEBERArnaud,

It seems like the provider treats this map as an opaque collection of values to send verbatim to the remote API, so it can’t distinguish sensitive elements from non-sensitive elements.

However, given that the document purpose of provider_details is to include client secrets and/or access tokens, the provider could potentially just mark that entire map as sensitive, which would then obscure any attribute inside it.

I’d suggest opening a feature request in the AWS provider repository if there isn’t one for this already, to start a discussion about the tradeoffs of marking this map as sensitive. The provider maintainers may have had a good reason for not marking this as sensitive, but it could also have just been an oversight, so opening an issue will be an opportunity to revisit that and see.

Thanks for the response :wink:

Issue created
and associated pull request