Add sensitive attribute to variables #26183
Conversation
Codecov Report
|
| @@ -1,9 +1,9 @@ | |||
| variable "foo" {} | |||
|
|
|||
| resource "aws_instance" "foo" { | |||
| ami = "${var.foo}" | |||
| ami = var.foo | |||
There was a problem hiding this comment.
This was updated to remove interpolation warnings when I was in the neighborhood while fixing apply tests
| @@ -518,6 +526,12 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiff(name string, label *string, | |||
| } | |||
|
|
|||
| func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) { | |||
| // Could check specifically for the sensitivity marker | |||
| if val.IsMarked() { | |||
| p.buf.WriteString("(sensitive)") | |||
There was a problem hiding this comment.
I don't know anything about marks, so please excuse the question if it's nonsense:
Is there any risk that not checking for the specific sensitive marker here could cause problems in the future? Is there any chance that a provider could start using marks, and then someone using terraform 0.14 and that provider would run into a problem?
There was a problem hiding this comment.
There's not a risk of that. Values can't be encoded with marks, so a provider cannot send marked values, and that's also why we have to unmark/remark values sending them through providers.
On the methods themselves, IsMarked is a very simple check, with HasMark being the more specific one. https://github.com/zclconf/go-cty/blob/master/cty/marks.go#L90-L102 Using HasMark would require creating a type specific to the mark. Since there's only one (naive) mark presently ("sensitive"), this is avoiding that at the moment.
Mark sensitivity on a value. However, when the value is encoded to send to the provider to produce a changeset we must remove the marks, so unmark the value and remark it with the saved path afterwards
Updates existing code to use the new Value methods for unmarking/marking and removes panics/workarounds in cty marshall methods
The hack approach appears consistent, as we can remove marks before calling the value validation
Apply, at this moment, appears that it does not require the remarking strategy, as the plan has already been printed
Using markedPlannedNewVal caused many test failures with ignoreChanges, and I noted plannedNewVal itself is modified in the eval_diff. plannedNewVal is now marked closer to the change where it needs it. There is also a test fixture update to remove interpolation warnings.
pselle
force-pushed
the
pselle/sensitive-values
branch
from
30dbdec to
e4e16cc
Compare
There was a problem hiding this comment.
Neat! I found this surprisingly easy to follow for a change that touches so many files, in large part I think to excellent comments. Thank you!
I'd really like to see a test of the current functionality if you think that's feasible before merging. Something as simple as the example in the PR description would be perfect. Since this feature is behind an experiment, I'm also comfortable with that coming in a follow-up PR if it's a big ask, so ✅ from me.
|
@alisdair Thank you for the review! I've been thinking on that codecov diff coverage stat myself a lot, and I think adding a |
This also unearthed that the marking must happen earlier in the eval_diff in order to produce a valid plan (so that the planned marked value matches the marked config value)
Adds a diff test for a changed value, and modifies the diff file to cover variable diffs on sensitive values
|
Will this address #16114 and is this already released? Did not see it in the last release notes. |
|
@robcxyz The goal is that it will! And it is not released. The master branch is currently targeting the 0.14 release cycle, the v0.13 branch is where you can see things that have been released (or unreleased) for 0.13. |
|
Hi @pselle thanks for this PR, I am wondering how to mark a map item sensitive, for example |
|
@liuyangc3 that's something we're exploring now! We are thinking to add support for complex types such that every member of the value would be sensitive (doesn't yet work). For your example though, you could populate values of |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked as resolved and limited conversation to collaborators
This PR allows
sensitiveto be added to a variable declaration, after enabling thesensitive_variablesexperiment:At this current stage of the project, this works on some very basic configurations. When sensitivity is defined, when Terraform outputs the plan to the CLI, attributes using this variable will not be displayed:
This PR depends on changes in https://github.com/zclconf/go-cty -- at the moment, go.mod points to
master, while this feature is in progress. Once the methods have stabilized and there is a new release to point at, go.mod will point to that release.I see that there's not strong covered diff coverage in this PR, which is semi-intentional, the idea to add more tests in a following PR. Saying "that's better to do here, now" would be completely valid -- my intention is that this PR be some reviewable amount of work where Terraform as-is functions, and hard edges are only discovered when using the
sensitiveattribute.