From 367ebca1659e99ff1ae56159d3359ed52ad7792c Mon Sep 17 00:00:00 2001 From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 14:14:35 +0000 Subject: [PATCH 1/2] Mark tokens as sensitive in data sources Mark the following attributes as sensitive to prevent them from being logged or displayed in Terraform output: - data.coder_workspace_owner.me.oidc_access_token - data.coder_workspace_owner.me.session_token - data.coder_external_auth.example.access_token This follows the same pattern as ssh_private_key and agent token which are already marked as sensitive. Fixes #266 Co-authored-by: matifali <10648092+matifali@users.noreply.github.com> --- provider/externalauth.go | 1 + provider/workspace_owner.go | 2 ++ 2 files changed, 3 insertions(+) diff --git a/provider/externalauth.go b/provider/externalauth.go index 915a21a9..b278ecc1 100644 --- a/provider/externalauth.go +++ b/provider/externalauth.go @@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource { Type: schema.TypeString, Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.", Computed: true, + Sensitive: true, }, "optional": { Type: schema.TypeBool, diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go index 078047ff..109b0b93 100644 --- a/provider/workspace_owner.go +++ b/provider/workspace_owner.go @@ -113,6 +113,7 @@ func workspaceOwnerDataSource() *schema.Resource { Type: schema.TypeString, Computed: true, Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.", + Sensitive: true, }, "oidc_access_token": { Type: schema.TypeString, @@ -120,6 +121,7 @@ func workspaceOwnerDataSource() *schema.Resource { Description: "A valid OpenID Connect access token of the workspace owner. " + "This is only available if the workspace owner authenticated with OpenID Connect. " + "If a valid token cannot be obtained, this value will be an empty string.", + Sensitive: true, }, "login_type": { Type: schema.TypeString, From 9066074a12a3c54b97026f053109642be08ea527 Mon Sep 17 00:00:00 2001 From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 14:20:02 +0000 Subject: [PATCH 2/2] Update documentation for sensitive token attributes Regenerate documentation to reflect that oidc_access_token, session_token, and access_token are now marked as sensitive in the schema. Co-authored-by: matifali <10648092+matifali@users.noreply.github.com> --- docs/data-sources/external_auth.md | 2 +- docs/data-sources/workspace_owner.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md index e4089f24..d1e6d649 100644 --- a/docs/data-sources/external_auth.md +++ b/docs/data-sources/external_auth.md @@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" { ### Read-Only -- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools. +- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools. diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md index 2a912e1f..f16480ef 100644 --- a/docs/data-sources/workspace_owner.md +++ b/docs/data-sources/workspace_owner.md @@ -52,9 +52,9 @@ resource "coder_env" "git_author_email" { - `id` (String) The UUID of the workspace owner. - `login_type` (String) The type of login the user has. - `name` (String) The username of the user. -- `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string. +- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string. - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles)) -- `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started. +- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started. - `ssh_private_key` (String, Sensitive) The user's generated SSH private key. - `ssh_public_key` (String) The user's generated SSH public key.