fix: Ensure that API key and secret are not shown in the Terrafom plan output

diglesias-te · web-flow · commit bf239bbf45de · 2025-04-25T12:21:04.000-04:00
I've been testing this module and I've realized that the values for `aqua_api_key` and `aqua_api_secret` are being shown in the Terraform plan output when the `single/lambda` module is used.

This is not an issue on the `single/trigger` module as these variables are marked as sensitive there and thus not shown.

Before:
```
# module.aqua_aws_onboarding.module.single[0].module.lambda.aws_lambda_invocation.generate_volscan_external_id_function will be created
  + resource "aws_lambda_invocation" "generate_volscan_external_id_function" {
      + function_name   = (known after apply)
      + id              = (known after apply)
      + input           = jsonencode(
            {
              + ApiUrl            = "..."
              + AquaApiKey        = &lt;plaintext_api_key&gt;
              + AquaSecretKey     = &lt;plaintext_api_secret&gt;
              + AutoConnectApiUrl = "..."
            }
        )
      + lifecycle_scope = "CREATE_ONLY"
      + qualifier       = "$LATEST"
      + result          = (known after apply)
      + terraform_key   = "tf"
      + triggers        = (known after apply)
    }
```

After:
```
  # module.aqua_aws_onboarding.module.single[0].module.lambda.aws_lambda_invocation.generate_volscan_external_id_function will be created
  + resource "aws_lambda_invocation" "generate_volscan_external_id_function" {
      + function_name   = (known after apply)
      + id              = (known after apply)
      + input           = (sensitive value)
      + lifecycle_scope = "CREATE_ONLY"
      + qualifier       = "$LATEST"
      + result          = (known after apply)
      + terraform_key   = "tf"
      + triggers        = (known after apply)
    }
```

We use automated workflows to deploy Terraform code on GitHub, as such, we need to ensure that these values remain hidden.
Let me know what you think, thanks.

```
Terraform v1.11.4
aquasecurity/onboarding/aws v0.2.2
hashicorp/aws v5.57.0
hashicorp/http v3.4.5
hashicorp/external v2.3.4
hashicorp/archive v2.4.2
hashicorp/random v3.6.3
hashicorp/time v0.13.0
```
diff --git a/modules/single/modules/lambda/variables.tf b/modules/single/modules/lambda/variables.tf
@@ -8,11 +8,13 @@ variable "random_id" {
 variable "aqua_api_key" {
   description = "Aqua API Key"
   type        = string
+  sensitive   = true
 }
 
 variable "aqua_api_secret" {
   description = "Aqua API Secret"
   type        = string
+  sensitive   = true
 }
 
 variable "aqua_volscan_aws_account_id" {

Original file line number	Diff line number	Diff line change
`@@ -8,11 +8,13 @@ variable "random_id" {`
`8`	`8`	`variable "aqua_api_key" {`
`9`	`9`	`description = "Aqua API Key"`
`10`	`10`	`type = string`
	`11`	`+ sensitive = true`
`11`	`12`	`}`
`12`	`13`
`13`	`14`	`variable "aqua_api_secret" {`
`14`	`15`	`description = "Aqua API Secret"`
`15`	`16`	`type = string`
	`17`	`+ sensitive = true`
`16`	`18`	`}`
`17`	`19`
`18`	`20`	`variable "aqua_volscan_aws_account_id" {`