From 5e30d58dc2d06a6b55354dba5cf84b0d85c14d24 Mon Sep 17 00:00:00 2001
From: Alisdair McDiarmid <alisdair@users.noreply.github.com>
Date: Fri, 26 Mar 2021 19:21:40 -0400
Subject: [PATCH] command/jsonplan: Add output change sensitivity

When an output value changes, we have a small amount of information we
can convey about its sensitivity. If either the output was previously
marked sensitive, or is currently marked sensitive in the config, this
is tracked in the output change data.

This commit encodes this boolean in the change struct's
`before_sensitive` and `after_sensitive` fields, in the a way which
matches resource value sensitivity. Since we have so little information
to work with, these two values will always be booleans, and always equal
each.

This is logically consistent with how else we want to obscure sensitive
data: a changing output which was or is marked sensitive should not have
the value shown in human-readable output.
---
 command/jsonplan/plan.go                      | 23 +++++++++++++++----
 .../show-json/basic-create/output.json        |  4 +++-
 .../show-json/basic-delete/output.json        |  4 +++-
 .../show-json/basic-update/output.json        |  4 +++-
 .../testdata/show-json/modules/output.json    |  4 +++-
 .../multi-resource-update/output.json         |  4 +++-
 .../provider-version-no-config/output.json    |  4 +++-
 .../show-json/provider-version/output.json    |  4 +++-
 .../show-json/sensitive-values/output.json    |  4 +++-
 9 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/command/jsonplan/plan.go b/command/jsonplan/plan.go
index 07d7f46b9e..5a828cccef 100644
--- a/command/jsonplan/plan.go
+++ b/command/jsonplan/plan.go
@@ -324,13 +324,28 @@ func (p *plan) marshalOutputChanges(changes *plans.Changes) error {
 			}
 		}
 
+		// The only information we have in the plan about output sensitivity is
+		// a boolean which is true if the output was or is marked sensitive. As
+		// a result, BeforeSensitive and AfterSensitive will be identical, and
+		// either false or true.
+		outputSensitive := cty.False
+		if oc.Sensitive {
+			outputSensitive = cty.True
+		}
+		sensitive, err := ctyjson.Marshal(outputSensitive, outputSensitive.Type())
+		if err != nil {
+			return err
+		}
+
 		a, _ := ctyjson.Marshal(afterUnknown, afterUnknown.Type())
 
 		c := change{
-			Actions:      actionString(oc.Action.String()),
-			Before:       json.RawMessage(before),
-			After:        json.RawMessage(after),
-			AfterUnknown: a,
+			Actions:         actionString(oc.Action.String()),
+			Before:          json.RawMessage(before),
+			After:           json.RawMessage(after),
+			AfterUnknown:    a,
+			BeforeSensitive: json.RawMessage(sensitive),
+			AfterSensitive:  json.RawMessage(sensitive),
 		}
 
 		p.OutputChanges[oc.Addr.OutputValue.Name] = c
diff --git a/command/testdata/show-json/basic-create/output.json b/command/testdata/show-json/basic-create/output.json
index 01a26d09b6..017054bccd 100644
--- a/command/testdata/show-json/basic-create/output.json
+++ b/command/testdata/show-json/basic-create/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/basic-delete/output.json b/command/testdata/show-json/basic-delete/output.json
index f9efd426fb..6b29d785f7 100644
--- a/command/testdata/show-json/basic-delete/output.json
+++ b/command/testdata/show-json/basic-delete/output.json
@@ -81,7 +81,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/basic-update/output.json b/command/testdata/show-json/basic-update/output.json
index 8a2f4de6f8..a6779801f9 100644
--- a/command/testdata/show-json/basic-update/output.json
+++ b/command/testdata/show-json/basic-update/output.json
@@ -61,7 +61,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/modules/output.json b/command/testdata/show-json/modules/output.json
index b78a9d1abe..445f269c26 100644
--- a/command/testdata/show-json/modules/output.json
+++ b/command/testdata/show-json/modules/output.json
@@ -181,7 +181,9 @@
             ],
             "before": null,
             "after": "baz",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/multi-resource-update/output.json b/command/testdata/show-json/multi-resource-update/output.json
index a0418499f3..564a4d7130 100644
--- a/command/testdata/show-json/multi-resource-update/output.json
+++ b/command/testdata/show-json/multi-resource-update/output.json
@@ -98,7 +98,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/provider-version-no-config/output.json b/command/testdata/show-json/provider-version-no-config/output.json
index 6163763319..7e0b841f8d 100644
--- a/command/testdata/show-json/provider-version-no-config/output.json
+++ b/command/testdata/show-json/provider-version-no-config/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/provider-version/output.json b/command/testdata/show-json/provider-version/output.json
index df1540e31c..eef936ec30 100644
--- a/command/testdata/show-json/provider-version/output.json
+++ b/command/testdata/show-json/provider-version/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/sensitive-values/output.json b/command/testdata/show-json/sensitive-values/output.json
index b694fee75b..51105382a8 100644
--- a/command/testdata/show-json/sensitive-values/output.json
+++ b/command/testdata/show-json/sensitive-values/output.json
@@ -60,7 +60,9 @@
             ],
             "before": null,
             "after": "boop",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": true,
+            "after_sensitive": true
         }
     },
     "prior_state": {