What is the meaning of `private` attribute in `tfstate` (for a DynamoDB instance)?

Question

I’m bootstrapping my terraform remote state by storing the tfstate of creating an S3 bucket and a DynamoDB lock table and storing it in git. My organisation scanned the repository using Yelp/detect-secrets and flagged the line containing private as a Base64 High Entropy String.

# excerpt from `tfstate` file
    {
      "mode": "managed",
      "type": "aws_dynamodb_table",
      "name": "state-lock",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "arn": "arn:aws:dynamodb:eu-west-1:111:table/terraform-state-lock",

           ...

            "write_capacity": 1
          },
          "private": "<long string>" 
        }
      ]
    }

https://www.terraform.io/docs/providers/aws/r/dynamodb_table.html does not export the field as an attribute, and I can’t find documentation on the meaning of the field.

What does it contain?

score 8 · Answer 1 · answered Sep 03 '19 at 19:51

The "private" property is a place where providers can retain any metadata they need for internal lifecycle tracking, separately from the actual data in "attributes".

From Terraform Core's perspective it's just an arbitrary sequence of bytes, base64 encoded. You can base64-decode it to see what the provider is storing there.

A provider is free to store whatever it wants in principle, but in practice today this is most commonly used by the Terraform SDK to track schema versions. That is likely what you'll find if you decode this one, in JSON format. The Terraform 0.12 state snapshot format has a first-class property for schema version which you can see further up in that object, so in this case that data is redundant but the SDK is retaining it in two places so that providers can remain compatible with Terraform 0.10 and 0.11.

"private" in this context means "for use by the provider only", not "secret". Therefore from the perspective of the detect-secrets tool this is an unfortunate false-positive. It is possible in principle for a provider to store private data in there -- just as it's able to do so in the "attributes" object too -- but that's not what this property is designed for.

Thank you. This should help make my case. Is there a public documentation of the `tfstate` schema? Out of even more curiosity - could you possibly link to code that generates the content for the `private` field? I searched through the [terraform-provider-aws](https://github.com/terraform-providers/terraform-provider-aws/search?l=Go&p=14&q=private) but could not see any usage. — oschrenk, Sep 05 '19 at 09:17

What is the meaning of `private` attribute in `tfstate` (for a DynamoDB instance)?

1 Answers1