what is the terraform remote state file "private" attribute used for?

Question

I recently imported some existing AWS resources into terraform, it worked well (thanks)

Some of these recources are sensitive such as KMS keys and Cloudtrail audit trails.

When reviewing the remote state-file stored in S3 I see that there is a private attribute on these objects that is base64 encoded eg on one of our trails I see

"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ=="

bease64 decoding this shows me it is

"private": {"schema_version":"0"}

so I'm not too worried, but I wanted to know what this "private" attribute is used for to make sure that stuff doesn't leak here.

Thanks

Karl

Answer 1

The meaning of "private" here is that this is, from Terraform's perspective, an opaque blob of binary data decided by the provider. Because of that, it's not possible to answer in general what that field might be used for -- a particular resource type can use it for anything in principle -- but by focusing on aws_kms_key in particular we can discuss how it's used today:

The AWS provider is built with the official Terraform Go SDK, and so as I write this the private data is being used actually by the SDK logic rather than the provider-specific logic. If you unpack the Base64 value you shared, you will find some JSON inside:

{"schema_version":"0"}

The SDK is using this to track which schema version this object is currently using. As of Terraform 0.12, schema version is actually now an explicit part of the state format and so this is redundant, but the SDK continues to record it here because today's providers are still compatible with Terraform 0.10 and 0.11 and so setting it in "private" causes it to be preserved between runs in those older versions too.

In principle a provider can store anything here, but the intention is that providers use it for tracking this sort of "boring" metadata that is needed to make the resource lifecycle work, rather than any actual resource data... the data itself belongs in the main object attributes.