IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2024-12-23 07:33:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

Unify all sensitive value plan output as "(sensitive value)"

Browse Source 
Previously, there was mixed usage of "(sensitive)" and "(sensitive value)" and even though it was more common to see "(sensitive)", the thought is that it's a value we are hiding rather than describing something already shown.
This commit is contained in:
Brandon Croft 2022-10-20 10:09:21 -06:00
parent 076fccd8e7
commit bd744ad4e9
No known key found for this signature in database
GPG Key ID: B01E32423322EB9D
11 changed files with 67 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/command/console_test.go
View File

@ -172,8 +172,8 @@ func TestConsole_variables(t *testing.T) {
commands := map[string]string{ commands := map[string]string{
"var.foo\n": "\"bar\"\n", "var.foo\n": "\"bar\"\n",
"var.snack\n": "\"popcorn\"\n", "var.snack\n": "\"popcorn\"\n",
"var.secret_snack\n": "(sensitive)\n", "var.secret_snack\n": "(sensitive value)\n",
"local.snack_bar\n": "[\n \"popcorn\",\n (sensitive),\n]\n", "local.snack_bar\n": "[\n \"popcorn\",\n (sensitive value),\n]\n",
} }
args := []string{} args := []string{}

20
internal/command/format/diff.go
View File

@ -274,7 +274,10 @@ type blockBodyDiffResult struct {
skippedBlocks int skippedBlocks int
} }
const forcesNewResourceCaption = " [red]# forces replacement[reset]" const (
forcesNewResourceCaption = " [red]# forces replacement[reset]"
sensitiveCaption = "(sensitive value)"
)
// writeBlockBodyDiff writes attribute or block differences // writeBlockBodyDiff writes attribute or block differences
// and returns true if any differences were found and written // and returns true if any differences were found and written
@ -416,7 +419,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
p.buf.WriteString(" = ") p.buf.WriteString(" = ")
if attrS.Sensitive { if attrS.Sensitive {
p.buf.WriteString("(sensitive)") p.buf.WriteString(sensitiveCaption)
if p.pathForcesNewResource(path) { if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption)) p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
} }
@ -459,7 +462,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
// Then schema of the attribute itself can be marked sensitive, or the values assigned // Then schema of the attribute itself can be marked sensitive, or the values assigned
sensitive := attrWithNestedS.Sensitive || old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) sensitive := attrWithNestedS.Sensitive || old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive)
if sensitive { if sensitive {
p.buf.WriteString(" = (sensitive)") p.buf.WriteString(" = ")
p.buf.WriteString(sensitiveCaption)
if p.pathForcesNewResource(path) { if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption)) p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
@ -742,7 +746,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiffs(name string, blockS *config
// If either the old or the new value is marked, // If either the old or the new value is marked,
// Display a special diff because it is irrelevant // Display a special diff because it is irrelevant
// to list all obfuscated attributes as (sensitive) // to list all obfuscated attributes as (sensitive value)
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) { if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path) p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path)
return 0 return 0
@ -1025,7 +1029,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiff(name string, label *string,
func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) { func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) {
// Could check specifically for the sensitivity marker // Could check specifically for the sensitivity marker
if val.HasMark(marks.Sensitive) { if val.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString(sensitiveCaption)
return return
} }
@ -1193,7 +1197,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
// values are known and non-null. // values are known and non-null.
if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual { if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual {
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) { if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString(sensitiveCaption)
if p.pathForcesNewResource(path) { if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption)) p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
} }
@ -1564,7 +1568,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
case plans.Create, plans.NoOp: case plans.Create, plans.NoOp:
v := new.Index(kV) v := new.Index(kV)
if v.HasMark(marks.Sensitive) { if v.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString(sensitiveCaption)
} else { } else {
p.writeValue(v, action, indent+4) p.writeValue(v, action, indent+4)
} }
@ -1574,7 +1578,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
p.writeValueDiff(oldV, newV, indent+4, path) p.writeValueDiff(oldV, newV, indent+4, path)
default: default:
if oldV.HasMark(marks.Sensitive) || newV.HasMark(marks.Sensitive) { if oldV.HasMark(marks.Sensitive) || newV.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString(sensitiveCaption)
} else { } else {
p.writeValueDiff(oldV, newV, indent+4, path) p.writeValueDiff(oldV, newV, indent+4, path)
} }

74
internal/command/format/diff_test.go
View File

@ -411,11 +411,11 @@ new line
ExpectedOutput: ` # test_instance.example will be created ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" { + resource "test_instance" "example" {
+ conn_info = { + conn_info = {
+ password = (sensitive) + password = (sensitive value)
+ user = "not-secret" + user = "not-secret"
} }
+ id = (known after apply) + id = (known after apply)
+ password = (sensitive) + password = (sensitive value)
} }
`, `,
}, },
@ -3048,7 +3048,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
ExpectedOutput: ` # test_instance.example will be created ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" { + resource "test_instance" "example" {
+ ami = "ami-AFTER" + ami = "ami-AFTER"
+ disks = (sensitive) + disks = (sensitive value)
+ id = "i-02ae66f368e8518a9" + id = "i-02ae66f368e8518a9"
+ root_block_device { + root_block_device {
@ -3146,7 +3146,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER" ~ ami = "ami-BEFORE" -> "ami-AFTER"
# Warning: this attribute value will be marked as sensitive and will not # Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. # display in UI output after applying this change.
~ disks = (sensitive) ~ disks = (sensitive value)
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
+ root_block_device { + root_block_device {
@ -3197,7 +3197,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER" ~ ami = "ami-BEFORE" -> "ami-AFTER"
# Warning: this attribute value will be marked as sensitive and will not # Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged. # display in UI output after applying this change. The value is unchanged.
~ disks = (sensitive) ~ disks = (sensitive value)
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
} }
`, `,
@ -3965,7 +3965,7 @@ func TestResourceChange_nestedMap(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER" ~ ami = "ami-BEFORE" -> "ami-AFTER"
~ disks = { ~ disks = {
+ "disk_a" = { + "disk_a" = {
+ mount_point = (sensitive) + mount_point = (sensitive value)
+ size = "50GB" + size = "50GB"
}, },
} }
@ -5728,18 +5728,18 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
}, },
ExpectedOutput: ` # test_instance.example will be created ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" { + resource "test_instance" "example" {
+ ami = (sensitive) + ami = (sensitive value)
+ id = "i-02ae66f368e8518a9" + id = "i-02ae66f368e8518a9"
+ list_field = [ + list_field = [
+ "hello", + "hello",
+ (sensitive), + (sensitive value),
+ "!", + "!",
] ]
+ map_key = { + map_key = {
+ "breakfast" = 800 + "breakfast" = 800
+ "dinner" = (sensitive) + "dinner" = (sensitive value)
} }
+ map_whole = (sensitive) + map_whole = (sensitive value)
+ nested_block_list { + nested_block_list {
# At least one attribute in this block is (or was) sensitive, # At least one attribute in this block is (or was) sensitive,
@ -5882,29 +5882,29 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ resource "test_instance" "example" { ~ resource "test_instance" "example" {
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. # after applying this change.
~ ami = (sensitive) ~ ami = (sensitive value)
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
~ list_field = [ ~ list_field = [
# (1 unchanged element hidden) # (1 unchanged element hidden)
"friends", "friends",
- (sensitive), - (sensitive value),
+ ".", + ".",
] ]
~ map_key = { ~ map_key = {
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. # after applying this change.
~ "dinner" = (sensitive) ~ "dinner" = (sensitive value)
# (1 unchanged element hidden) # (1 unchanged element hidden)
} }
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. # after applying this change.
~ map_whole = (sensitive) ~ map_whole = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. # after applying this change.
~ some_number = (sensitive) ~ some_number = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. # after applying this change.
~ special = (sensitive) ~ special = (sensitive value)
# Warning: this block will no longer be marked as sensitive # Warning: this block will no longer be marked as sensitive
# after applying this change. # after applying this change.
@ -6007,18 +6007,18 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
~ list_field = [ ~ list_field = [
- "hello", - "hello",
+ (sensitive), + (sensitive value),
"friends", "friends",
] ]
~ map_key = { ~ map_key = {
~ "breakfast" = 800 -> 700 ~ "breakfast" = 800 -> 700
# Warning: this attribute value will be marked as sensitive and will not # Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. # display in UI output after applying this change.
~ "dinner" = (sensitive) ~ "dinner" = (sensitive value)
} }
# Warning: this attribute value will be marked as sensitive and will not # Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. # display in UI output after applying this change.
~ map_whole = (sensitive) ~ map_whole = (sensitive value)
# Warning: this block will be marked as sensitive and will not # Warning: this block will be marked as sensitive and will not
# display in UI output after applying this change. # display in UI output after applying this change.
@ -6143,15 +6143,15 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ ami = (sensitive value) ~ ami = (sensitive value)
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
~ list_field = [ ~ list_field = [
- (sensitive), - (sensitive value),
+ (sensitive), + (sensitive value),
"friends", "friends",
] ]
~ map_key = { ~ map_key = {
~ "dinner" = (sensitive) ~ "dinner" = (sensitive value)
# (1 unchanged element hidden) # (1 unchanged element hidden)
} }
~ map_whole = (sensitive) ~ map_whole = (sensitive value)
~ nested_block_map { ~ nested_block_map {
# At least one attribute in this block is (or was) sensitive, # At least one attribute in this block is (or was) sensitive,
@ -6289,29 +6289,29 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ resource "test_instance" "example" { ~ resource "test_instance" "example" {
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged. # after applying this change. The value is unchanged.
~ ami = (sensitive) ~ ami = (sensitive value)
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
~ list_field = [ ~ list_field = [
# (1 unchanged element hidden) # (1 unchanged element hidden)
"friends", "friends",
- (sensitive), - (sensitive value),
+ "!", + "!",
] ]
~ map_key = { ~ map_key = {
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged. # after applying this change. The value is unchanged.
~ "dinner" = (sensitive) ~ "dinner" = (sensitive value)
# (1 unchanged element hidden) # (1 unchanged element hidden)
} }
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged. # after applying this change. The value is unchanged.
~ map_whole = (sensitive) ~ map_whole = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged. # after applying this change. The value is unchanged.
~ some_number = (sensitive) ~ some_number = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive # Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged. # after applying this change. The value is unchanged.
~ special = (sensitive) ~ special = (sensitive value)
# Warning: this block will no longer be marked as sensitive # Warning: this block will no longer be marked as sensitive
# after applying this change. # after applying this change.
@ -6410,17 +6410,17 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
}, },
ExpectedOutput: ` # test_instance.example will be destroyed ExpectedOutput: ` # test_instance.example will be destroyed
- resource "test_instance" "example" { - resource "test_instance" "example" {
- ami = (sensitive) -> null - ami = (sensitive value) -> null
- id = "i-02ae66f368e8518a9" -> null - id = "i-02ae66f368e8518a9" -> null
- list_field = [ - list_field = [
- "hello", - "hello",
- (sensitive), - (sensitive value),
] -> null ] -> null
- map_key = { - map_key = {
- "breakfast" = 800 - "breakfast" = 800
- "dinner" = (sensitive) - "dinner" = (sensitive value)
} -> null } -> null
- map_whole = (sensitive) -> null - map_whole = (sensitive value) -> null
- nested_block_set { - nested_block_set {
# At least one attribute in this block is (or was) sensitive, # At least one attribute in this block is (or was) sensitive,
@ -6492,7 +6492,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
), ),
ExpectedOutput: ` # test_instance.example must be replaced ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" { -/+ resource "test_instance" "example" {
~ ami = (sensitive) # forces replacement ~ ami = (sensitive value) # forces replacement
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
~ nested_block_set { # forces replacement ~ nested_block_set { # forces replacement
@ -6524,7 +6524,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
), ),
ExpectedOutput: ` # test_instance.example must be replaced ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" { -/+ resource "test_instance" "example" {
~ ami = (sensitive) # forces replacement ~ ami = (sensitive value) # forces replacement
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
} }
`, `,
@ -6567,7 +6567,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
ExpectedOutput: ` # test_instance.example must be replaced ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" { -/+ resource "test_instance" "example" {
~ conn_info = { # forces replacement ~ conn_info = { # forces replacement
~ password = (sensitive) ~ password = (sensitive value)
# (1 unchanged attribute hidden) # (1 unchanged attribute hidden)
} }
id = "i-02ae66f368e8518a9" id = "i-02ae66f368e8518a9"
@ -6824,7 +6824,7 @@ func TestOutputChanges(t *testing.T) {
}, },
` `
~ a = 1 -> 2 ~ a = 1 -> 2
~ b = (sensitive) ~ b = (sensitive value)
~ c = false -> true`, ~ c = false -> true`,
}, },
} }

2
internal/repl/format.go
View File

@ -18,7 +18,7 @@ func FormatValue(v cty.Value, indent int) string {
return "(known after apply)" return "(known after apply)"
} }
if v.HasMark(marks.Sensitive) { if v.HasMark(marks.Sensitive) {
return "(sensitive)" return "(sensitive value)"
} }
if v.IsNull() { if v.IsNull() {
ty := v.Type() ty := v.Type()

4
internal/repl/format_test.go
View File

@ -171,8 +171,8 @@ EOT_`,
`toset([])`, `toset([])`,
}, },
{ {
cty.StringVal("sensitive value").Mark(marks.Sensitive), cty.StringVal("a sensitive value").Mark(marks.Sensitive),
"(sensitive)", "(sensitive value)",
}, },
} }

4
website/docs/language/expressions/function-calls.mdx
View File

@ -63,11 +63,11 @@ the `keys()` function will result in a list that is sensitive:
```shell ```shell
> local.baz > local.baz
{ {
"a" = (sensitive) "a" = (sensitive value)
"b" = "dog" "b" = "dog"
} }
> keys(local.baz) > keys(local.baz)
(sensitive) (sensitive value)
``` ```
## When Terraform Calls Functions ## When Terraform Calls Functions

2
website/docs/language/expressions/references.mdx
View File

@ -292,7 +292,7 @@ Note that unlike `count`, splat expressions are _not_ directly applicable to res
When defining the schema for a resource type, a provider developer can mark When defining the schema for a resource type, a provider developer can mark
certain attributes as _sensitive_, in which case Terraform will show a certain attributes as _sensitive_, in which case Terraform will show a
placeholder marker `(sensitive)` instead of the actual value when rendering placeholder marker `(sensitive value)` instead of the actual value when rendering
a plan involving that attribute. a plan involving that attribute.
A provider attribute marked as sensitive behaves similarly to an A provider attribute marked as sensitive behaves similarly to an

6
website/docs/language/functions/nonsensitive.mdx
View File

@ -91,11 +91,11 @@ the local value `mixed_content`, with a valid JSON string assigned to
``` ```
> var.mixed_content_json > var.mixed_content_json
(sensitive) (sensitive value)
> local.mixed_content > local.mixed_content
(sensitive) (sensitive value)
> local.mixed_content["password"] > local.mixed_content["password"]
(sensitive) (sensitive value)
> nonsensitive(local.mixed_content["username"]) > nonsensitive(local.mixed_content["username"])
"zqb" "zqb"
> nonsensitive("clear") > nonsensitive("clear")

6
website/docs/language/functions/sensitive.mdx
View File

@ -34,9 +34,9 @@ because they may be exposed in other ways outside of Terraform's control.
``` ```
> sensitive(1) > sensitive(1)
(sensitive) (sensitive value)
> sensitive("hello") > sensitive("hello")
(sensitive) (sensitive value)
> sensitive([]) > sensitive([])
(sensitive) (sensitive value)
``` ```

2
website/docs/language/values/outputs.mdx
View File

@ -159,7 +159,7 @@ Terraform will perform the following actions:
# test_instance.x will be created # test_instance.x will be created
+ resource "test_instance" "x" { + resource "test_instance" "x" {
+ some_attribute = (sensitive) + some_attribute = (sensitive value)
} }
Plan: 1 to add, 0 to change, 0 to destroy. Plan: 1 to add, 0 to change, 0 to destroy.

6
website/docs/language/values/variables.mdx
View File

@ -218,8 +218,8 @@ Terraform will perform the following actions:
# some_resource.a will be created # some_resource.a will be created
+ resource "some_resource" "a" { + resource "some_resource" "a" {
+ name = (sensitive) + name = (sensitive value)
+ address = (sensitive) + address = (sensitive value)
} }
Plan: 1 to add, 0 to change, 0 to destroy. Plan: 1 to add, 0 to change, 0 to destroy.
@ -262,7 +262,7 @@ If a resource attribute is used as, or part of, the provider-defined resource id
+ resource "random_pet" "animal" { + resource "random_pet" "animal" {
+ id = (known after apply) + id = (known after apply)
+ length = 2 + length = 2
+ prefix = (sensitive) + prefix = (sensitive value)
+ separator = "-" + separator = "-"
} }