From 02c1bddfe1c27ef8274b2dcffa16dd8cc2309f83 Mon Sep 17 00:00:00 2001 From: Pam Selle <204372+pselle@users.noreply.github.com> Date: Thu, 10 Sep 2020 10:08:04 -0400 Subject: [PATCH] Create experiment for sensitive attribute --- configs/experiments.go | 13 ++++++++++++- configs/testdata/valid-files/variables.tf | 4 ---- .../testdata/warning-files/variables-sensitive.tf | 7 +++++++ experiments/experiment.go | 2 ++ 4 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 configs/testdata/warning-files/variables-sensitive.tf diff --git a/configs/experiments.go b/configs/experiments.go index 8af1e951f1..aacca8e61f 100644 --- a/configs/experiments.go +++ b/configs/experiments.go @@ -138,6 +138,17 @@ func checkModuleExperiments(m *Module) hcl.Diagnostics { } } */ - + if !m.ActiveExperiments.Has(experiments.SensitiveVariables) { + for _, v := range m.Variables { + if v.Sensitive { + diags = diags.Append(&hcl.Diagnostic{ + Severity: hcl.DiagError, + Summary: "Variable sensitivity is experimental", + Detail: "This feature is currently an opt-in experiment, subject to change in future releases based on feedback.\n\nActivate the feature for this module by adding sensitive_variables to the list of active experiments.", + Subject: v.DeclRange.Ptr(), + }) + } + } + } return diags } diff --git a/configs/testdata/valid-files/variables.tf b/configs/testdata/valid-files/variables.tf index 668761bc9e..817649307b 100644 --- a/configs/testdata/valid-files/variables.tf +++ b/configs/testdata/valid-files/variables.tf @@ -22,7 +22,3 @@ variable "cheeze_pizza" { variable "π" { default = 3.14159265359 } - -variable "sensitive-value" { - sensitive = true -} diff --git a/configs/testdata/warning-files/variables-sensitive.tf b/configs/testdata/warning-files/variables-sensitive.tf new file mode 100644 index 0000000000..5fedc39860 --- /dev/null +++ b/configs/testdata/warning-files/variables-sensitive.tf @@ -0,0 +1,7 @@ +terraform { + experiments = [sensitive_variables] # WARNING: Experimental feature "sensitive_variables" is active +} + +variable "sensitive-value" { + sensitive = true +} \ No newline at end of file diff --git a/experiments/experiment.go b/experiments/experiment.go index cac7d54fc2..f4ca707df2 100644 --- a/experiments/experiment.go +++ b/experiments/experiment.go @@ -14,12 +14,14 @@ type Experiment string // identifier so that it can be specified in configuration. const ( VariableValidation = Experiment("variable_validation") + SensitiveVariables = Experiment("sensitive_variables") ) func init() { // Each experiment constant defined above must be registered here as either // a current or a concluded experiment. registerConcludedExperiment(VariableValidation, "Custom variable validation can now be used by default, without enabling an experiment.") + registerCurrentExperiment(SensitiveVariables) } // GetCurrent takes an experiment name and returns the experiment value