Skip to content

Commit 076fccd

Browse files
brandoncbrandonc
committed
fix: don't reveal nested attributes with sensitive schema
1 parent 730756e commit 076fccd

File tree

2 files changed

+1090
-203
lines changed

2 files changed

+1090
-203
lines changed

internal/command/format/diff.go

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -398,7 +398,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
398398
}
399399

400400
if attrS.NestedType != nil {
401-
p.writeNestedAttrDiff(name, attrS.NestedType, old, new, nameLen, indent, path, action, showJustNew)
401+
p.writeNestedAttrDiff(name, attrS, old, new, nameLen, indent, path, action, showJustNew)
402402
return false
403403
}
404404

@@ -416,7 +416,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
416416
p.buf.WriteString(" = ")
417417

418418
if attrS.Sensitive {
419-
p.buf.WriteString("(sensitive value)")
419+
p.buf.WriteString("(sensitive)")
420420
if p.pathForcesNewResource(path) {
421421
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
422422
}
@@ -441,9 +441,11 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
441441
// writeNestedAttrDiff is responsible for formatting Attributes with NestedTypes
442442
// in the diff.
443443
func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
444-
name string, objS *configschema.Object, old, new cty.Value,
444+
name string, attrWithNestedS *configschema.Attribute, old, new cty.Value,
445445
nameLen, indent int, path cty.Path, action plans.Action, showJustNew bool) {
446446

447+
objS := attrWithNestedS.NestedType
448+
447449
p.buf.WriteString("\n")
448450
p.writeSensitivityWarning(old, new, indent, action, false)
449451
p.buf.WriteString(strings.Repeat(" ", indent))
@@ -454,8 +456,11 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
454456
p.buf.WriteString(p.color.Color("[reset]"))
455457
p.buf.WriteString(strings.Repeat(" ", nameLen-len(name)))
456458

457-
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
458-
p.buf.WriteString(" = (sensitive value)")
459+
// Then schema of the attribute itself can be marked sensitive, or the values assigned
460+
sensitive := attrWithNestedS.Sensitive || old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive)
461+
if sensitive {
462+
p.buf.WriteString(" = (sensitive)")
463+
459464
if p.pathForcesNewResource(path) {
460465
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
461466
}
@@ -475,6 +480,12 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
475480
p.buf.WriteString(strings.Repeat(" ", indent+2))
476481
p.buf.WriteString("}")
477482

483+
if !new.IsKnown() {
484+
p.buf.WriteString(" -> (known after apply)")
485+
} else if new.IsNull() {
486+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
487+
}
488+
478489
case configschema.NestingList:
479490
p.buf.WriteString(" = [")
480491
if action != plans.NoOp && (p.pathForcesNewResource(path) || p.pathForcesNewResource(path[:len(path)-1])) {
@@ -558,6 +569,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
558569

559570
if !new.IsKnown() {
560571
p.buf.WriteString(" -> (known after apply)")
572+
} else if new.IsNull() {
573+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
561574
}
562575

563576
case configschema.NestingSet:
@@ -636,6 +649,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
636649

637650
if !new.IsKnown() {
638651
p.buf.WriteString(" -> (known after apply)")
652+
} else if new.IsNull() {
653+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
639654
}
640655

641656
case configschema.NestingMap:
@@ -711,6 +726,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
711726
p.buf.WriteString("}")
712727
if !new.IsKnown() {
713728
p.buf.WriteString(" -> (known after apply)")
729+
} else if new.IsNull() {
730+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
714731
}
715732
}
716733
}

0 commit comments

Comments
 (0)