Skip to content

Store all sensitive marks for non-root module outputs in state#32891

Merged
jbardin merged 3 commits intomainfrom
jbardin/sensitive-mod-outputs
Mar 21, 2023
Merged

Store all sensitive marks for non-root module outputs in state#32891
jbardin merged 3 commits intomainfrom
jbardin/sensitive-mod-outputs

Conversation

@jbardin
Copy link
Copy Markdown
Member

@jbardin jbardin commented Mar 20, 2023

The outputs from non-root modules which contained nested sensitive values were being treated as entirely sensitive when evaluating them from state during apply. In order to have detailed information about sensitivity from non-root module outputs, we need to store the value along with all sensitive marks. This aligns with the usage of state being the in-memory store for other temporary values like locals and variables. Also like locals and variables, these outputs are not serialized to state storage, so will not be be affected by the inclusion of the marks.

Fixes #32880

jbardin added 3 commits March 20, 2023 13:27
@jbardin
store non-root sensitive outputs in state
425c6be 
Module outputs are evaluated from state, so in order to have detailed
information about sensitivity from non-root module outputs, we need to
store the value along with all sensitive marks. This aligns with the
usage of state being the in-memory store for other temporary values like
locals and variables.
@jbardin
remove old comments
d33e627
@jbardin
test that module outputs maintain sensitive marks
defd7f0
@jbardin jbardin added the 1.4-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label Mar 20, 2023
@jbardin jbardin requested a review from a team March 20, 2023 18:22
@jbardin jbardin merged commit 9504b26 into main Mar 21, 2023
@jbardin jbardin deleted the jbardin/sensitive-mod-outputs branch March 21, 2023 17:59
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 21, 2023

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@ghost ghost mentioned this pull request Mar 21, 2023
Merged
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 21, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@alisdair alisdair alisdair approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.4-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Since 1.4 output is flagged as sensitive

2 participants

@jbardin @alisdair