Skip to content

Commit be5984d

Browse files
brandoncbrandonc
authored
Merge pull request #32004 from hashicorp/brandonc/nested_attr_sensitive
fix: don't reveal nested attributes with sensitive schema
2 parents 4148dbf + bd744ad commit be5984d

File tree

11 files changed

+952
-61
lines changed

11 files changed

+952
-61
lines changed

internal/command/console_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -172,8 +172,8 @@ func TestConsole_variables(t *testing.T) {
172172
commands := map[string]string{
173173
"var.foo\n": "\"bar\"\n",
174174
"var.snack\n": "\"popcorn\"\n",
175-
"var.secret_snack\n": "(sensitive)\n",
176-
"local.snack_bar\n": "[\n \"popcorn\",\n (sensitive),\n]\n",
175+
"var.secret_snack\n": "(sensitive value)\n",
176+
"local.snack_bar\n": "[\n \"popcorn\",\n (sensitive value),\n]\n",
177177
}
178178

179179
args := []string{}

internal/command/format/diff.go

Lines changed: 32 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -274,7 +274,10 @@ type blockBodyDiffResult struct {
274274
skippedBlocks int
275275
}
276276

277-
const forcesNewResourceCaption = " [red]# forces replacement[reset]"
277+
const (
278+
forcesNewResourceCaption = " [red]# forces replacement[reset]"
279+
sensitiveCaption = "(sensitive value)"
280+
)
278281

279282
// writeBlockBodyDiff writes attribute or block differences
280283
// and returns true if any differences were found and written
@@ -398,7 +401,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
398401
}
399402

400403
if attrS.NestedType != nil {
401-
p.writeNestedAttrDiff(name, attrS.NestedType, old, new, nameLen, indent, path, action, showJustNew)
404+
p.writeNestedAttrDiff(name, attrS, old, new, nameLen, indent, path, action, showJustNew)
402405
return false
403406
}
404407

@@ -416,7 +419,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
416419
p.buf.WriteString(" = ")
417420

418421
if attrS.Sensitive {
419-
p.buf.WriteString("(sensitive value)")
422+
p.buf.WriteString(sensitiveCaption)
420423
if p.pathForcesNewResource(path) {
421424
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
422425
}
@@ -441,9 +444,11 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
441444
// writeNestedAttrDiff is responsible for formatting Attributes with NestedTypes
442445
// in the diff.
443446
func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
444-
name string, objS *configschema.Object, old, new cty.Value,
447+
name string, attrWithNestedS *configschema.Attribute, old, new cty.Value,
445448
nameLen, indent int, path cty.Path, action plans.Action, showJustNew bool) {
446449

450+
objS := attrWithNestedS.NestedType
451+
447452
p.buf.WriteString("\n")
448453
p.writeSensitivityWarning(old, new, indent, action, false)
449454
p.buf.WriteString(strings.Repeat(" ", indent))
@@ -454,8 +459,12 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
454459
p.buf.WriteString(p.color.Color("[reset]"))
455460
p.buf.WriteString(strings.Repeat(" ", nameLen-len(name)))
456461

457-
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
458-
p.buf.WriteString(" = (sensitive value)")
462+
// Then schema of the attribute itself can be marked sensitive, or the values assigned
463+
sensitive := attrWithNestedS.Sensitive || old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive)
464+
if sensitive {
465+
p.buf.WriteString(" = ")
466+
p.buf.WriteString(sensitiveCaption)
467+
459468
if p.pathForcesNewResource(path) {
460469
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
461470
}
@@ -475,6 +484,12 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
475484
p.buf.WriteString(strings.Repeat(" ", indent+2))
476485
p.buf.WriteString("}")
477486

487+
if !new.IsKnown() {
488+
p.buf.WriteString(" -> (known after apply)")
489+
} else if new.IsNull() {
490+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
491+
}
492+
478493
case configschema.NestingList:
479494
p.buf.WriteString(" = [")
480495
if action != plans.NoOp && (p.pathForcesNewResource(path) || p.pathForcesNewResource(path[:len(path)-1])) {
@@ -558,6 +573,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
558573

559574
if !new.IsKnown() {
560575
p.buf.WriteString(" -> (known after apply)")
576+
} else if new.IsNull() {
577+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
561578
}
562579

563580
case configschema.NestingSet:
@@ -636,6 +653,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
636653

637654
if !new.IsKnown() {
638655
p.buf.WriteString(" -> (known after apply)")
656+
} else if new.IsNull() {
657+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
639658
}
640659

641660
case configschema.NestingMap:
@@ -711,6 +730,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
711730
p.buf.WriteString("}")
712731
if !new.IsKnown() {
713732
p.buf.WriteString(" -> (known after apply)")
733+
} else if new.IsNull() {
734+
p.buf.WriteString(p.color.Color("[dark_gray] -> null[reset]"))
714735
}
715736
}
716737
}
@@ -725,7 +746,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiffs(name string, blockS *config
725746

726747
// If either the old or the new value is marked,
727748
// Display a special diff because it is irrelevant
728-
// to list all obfuscated attributes as (sensitive)
749+
// to list all obfuscated attributes as (sensitive value)
729750
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
730751
p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path)
731752
return 0
@@ -1008,7 +1029,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiff(name string, label *string,
10081029
func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) {
10091030
// Could check specifically for the sensitivity marker
10101031
if val.HasMark(marks.Sensitive) {
1011-
p.buf.WriteString("(sensitive)")
1032+
p.buf.WriteString(sensitiveCaption)
10121033
return
10131034
}
10141035

@@ -1176,7 +1197,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
11761197
// values are known and non-null.
11771198
if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual {
11781199
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
1179-
p.buf.WriteString("(sensitive)")
1200+
p.buf.WriteString(sensitiveCaption)
11801201
if p.pathForcesNewResource(path) {
11811202
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
11821203
}
@@ -1547,7 +1568,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
15471568
case plans.Create, plans.NoOp:
15481569
v := new.Index(kV)
15491570
if v.HasMark(marks.Sensitive) {
1550-
p.buf.WriteString("(sensitive)")
1571+
p.buf.WriteString(sensitiveCaption)
15511572
} else {
15521573
p.writeValue(v, action, indent+4)
15531574
}
@@ -1557,7 +1578,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
15571578
p.writeValueDiff(oldV, newV, indent+4, path)
15581579
default:
15591580
if oldV.HasMark(marks.Sensitive) || newV.HasMark(marks.Sensitive) {
1560-
p.buf.WriteString("(sensitive)")
1581+
p.buf.WriteString(sensitiveCaption)
15611582
} else {
15621583
p.writeValueDiff(oldV, newV, indent+4, path)
15631584
}

0 commit comments

Comments
 (0)