Skip to content

Commit

Permalink
Unify all sensitive value plan output as "(sensitive value)"
Browse files Browse the repository at this point in the history 
Previously, there was mixed usage of "(sensitive)" and "(sensitive value)" and even though it was more common to see "(sensitive)", the thought is that it's a value we are hiding rather than describing something already shown.
  • Loading branch information
@brandonc
brandonc committed Oct 24, 2022
1 parent adf0b95 commit f7198e2
Show file tree
Hide file tree
Showing 11 changed files with 67 additions and 63 deletions.
4 changes: 2 additions & 2 deletions internal/command/console_test.go
View file
Expand Up @@ -172,8 +172,8 @@ func TestConsole_variables(t *testing.T) {
commands := map[string]string{
"var.foo\n": "\"bar\"\n",
"var.snack\n": "\"popcorn\"\n",
"var.secret_snack\n": "(sensitive)\n",
"local.snack_bar\n": "[\n \"popcorn\",\n (sensitive),\n]\n",
"var.secret_snack\n": "(sensitive value)\n",
"local.snack_bar\n": "[\n \"popcorn\",\n (sensitive value),\n]\n",
}

args := []string{}
Expand Down
20 changes: 12 additions & 8 deletions internal/command/format/diff.go
View file
Expand Up @@ -274,7 +274,10 @@ type blockBodyDiffResult struct {
skippedBlocks int
}

const forcesNewResourceCaption = " [red]# forces replacement[reset]"
const (
forcesNewResourceCaption = " [red]# forces replacement[reset]"
sensitiveCaption = "(sensitive value)"
)

// writeBlockBodyDiff writes attribute or block differences
// and returns true if any differences were found and written
Expand Down Expand Up @@ -416,7 +419,7 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At
p.buf.WriteString(" = ")

if attrS.Sensitive {
p.buf.WriteString("(sensitive)")
p.buf.WriteString(sensitiveCaption)
if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
}
Expand Down Expand Up @@ -459,7 +462,8 @@ func (p *blockBodyDiffPrinter) writeNestedAttrDiff(
// Then schema of the attribute itself can be marked sensitive, or the values assigned
sensitive := attrWithNestedS.Sensitive || old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive)
if sensitive {
p.buf.WriteString(" = (sensitive)")
p.buf.WriteString(" = ")
p.buf.WriteString(sensitiveCaption)

if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
Expand Down Expand Up @@ -742,7 +746,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiffs(name string, blockS *config

// If either the old or the new value is marked,
// Display a special diff because it is irrelevant
// to list all obfuscated attributes as (sensitive)
// to list all obfuscated attributes as (sensitive value)
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path)
return 0
Expand Down Expand Up @@ -1025,7 +1029,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiff(name string, label *string,
func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) {
// Could check specifically for the sensitivity marker
if val.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)")
p.buf.WriteString(sensitiveCaption)
return
}

Expand Down Expand Up @@ -1193,7 +1197,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
// values are known and non-null.
if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual {
if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)")
p.buf.WriteString(sensitiveCaption)
if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
}
Expand Down Expand Up @@ -1564,7 +1568,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
case plans.Create, plans.NoOp:
v := new.Index(kV)
if v.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)")
p.buf.WriteString(sensitiveCaption)
} else {
p.writeValue(v, action, indent+4)
}
Expand All @@ -1574,7 +1578,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
p.writeValueDiff(oldV, newV, indent+4, path)
default:
if oldV.HasMark(marks.Sensitive) || newV.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)")
p.buf.WriteString(sensitiveCaption)
} else {
p.writeValueDiff(oldV, newV, indent+4, path)
}
Expand Down
74 changes: 37 additions & 37 deletions internal/command/format/diff_test.go
View file
Expand Up @@ -411,11 +411,11 @@ new line
ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" {
+ conn_info = {
+ password = (sensitive)
+ password = (sensitive value)
+ user = "not-secret"
}
+ id = (known after apply)
+ password = (sensitive)
+ password = (sensitive value)
}
`,
},
Expand Down Expand Up @@ -3389,7 +3389,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" {
+ ami = "ami-AFTER"
+ disks = (sensitive)
+ disks = (sensitive value)
+ id = "i-02ae66f368e8518a9"
+ root_block_device {
Expand Down Expand Up @@ -3487,7 +3487,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change.
~ disks = (sensitive)
~ disks = (sensitive value)
id = "i-02ae66f368e8518a9"
+ root_block_device {
Expand Down Expand Up @@ -3538,7 +3538,7 @@ func TestResourceChange_nestedSet(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ disks = (sensitive)
~ disks = (sensitive value)
id = "i-02ae66f368e8518a9"
}
`,
Expand Down Expand Up @@ -4306,7 +4306,7 @@ func TestResourceChange_nestedMap(t *testing.T) {
~ ami = "ami-BEFORE" -> "ami-AFTER"
~ disks = {
+ "disk_a" = {
+ mount_point = (sensitive)
+ mount_point = (sensitive value)
+ size = "50GB"
},
}
Expand Down Expand Up @@ -5728,18 +5728,18 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
},
ExpectedOutput: ` # test_instance.example will be created
+ resource "test_instance" "example" {
+ ami = (sensitive)
+ ami = (sensitive value)
+ id = "i-02ae66f368e8518a9"
+ list_field = [
+ "hello",
+ (sensitive),
+ (sensitive value),
+ "!",
]
+ map_key = {
+ "breakfast" = 800
+ "dinner" = (sensitive)
+ "dinner" = (sensitive value)
}
+ map_whole = (sensitive)
+ map_whole = (sensitive value)
+ nested_block_list {
# At least one attribute in this block is (or was) sensitive,
Expand Down Expand Up @@ -5882,29 +5882,29 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ resource "test_instance" "example" {
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change.
~ ami = (sensitive)
~ ami = (sensitive value)
id = "i-02ae66f368e8518a9"
~ list_field = [
# (1 unchanged element hidden)
"friends",
- (sensitive),
- (sensitive value),
+ ".",
]
~ map_key = {
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change.
~ "dinner" = (sensitive)
~ "dinner" = (sensitive value)
# (1 unchanged element hidden)
}
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change.
~ map_whole = (sensitive)
~ map_whole = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change.
~ some_number = (sensitive)
~ some_number = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change.
~ special = (sensitive)
~ special = (sensitive value)
# Warning: this block will no longer be marked as sensitive
# after applying this change.
Expand Down Expand Up @@ -6007,18 +6007,18 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
id = "i-02ae66f368e8518a9"
~ list_field = [
- "hello",
+ (sensitive),
+ (sensitive value),
"friends",
]
~ map_key = {
~ "breakfast" = 800 -> 700
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change.
~ "dinner" = (sensitive)
~ "dinner" = (sensitive value)
}
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change.
~ map_whole = (sensitive)
~ map_whole = (sensitive value)
# Warning: this block will be marked as sensitive and will not
# display in UI output after applying this change.
Expand Down Expand Up @@ -6143,15 +6143,15 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ ami = (sensitive value)
id = "i-02ae66f368e8518a9"
~ list_field = [
- (sensitive),
+ (sensitive),
- (sensitive value),
+ (sensitive value),
"friends",
]
~ map_key = {
~ "dinner" = (sensitive)
~ "dinner" = (sensitive value)
# (1 unchanged element hidden)
}
~ map_whole = (sensitive)
~ map_whole = (sensitive value)
~ nested_block_map {
# At least one attribute in this block is (or was) sensitive,
Expand Down Expand Up @@ -6289,29 +6289,29 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
~ resource "test_instance" "example" {
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ ami = (sensitive)
~ ami = (sensitive value)
id = "i-02ae66f368e8518a9"
~ list_field = [
# (1 unchanged element hidden)
"friends",
- (sensitive),
- (sensitive value),
+ "!",
]
~ map_key = {
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ "dinner" = (sensitive)
~ "dinner" = (sensitive value)
# (1 unchanged element hidden)
}
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ map_whole = (sensitive)
~ map_whole = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ some_number = (sensitive)
~ some_number = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ special = (sensitive)
~ special = (sensitive value)
# Warning: this block will no longer be marked as sensitive
# after applying this change.
Expand Down Expand Up @@ -6410,17 +6410,17 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
},
ExpectedOutput: ` # test_instance.example will be destroyed
- resource "test_instance" "example" {
- ami = (sensitive) -> null
- ami = (sensitive value) -> null
- id = "i-02ae66f368e8518a9" -> null
- list_field = [
- "hello",
- (sensitive),
- (sensitive value),
] -> null
- map_key = {
- "breakfast" = 800
- "dinner" = (sensitive)
- "dinner" = (sensitive value)
} -> null
- map_whole = (sensitive) -> null
- map_whole = (sensitive value) -> null
- nested_block_set {
# At least one attribute in this block is (or was) sensitive,
Expand Down Expand Up @@ -6492,7 +6492,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
),
ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" {
~ ami = (sensitive) # forces replacement
~ ami = (sensitive value) # forces replacement
id = "i-02ae66f368e8518a9"
~ nested_block_set { # forces replacement
Expand Down Expand Up @@ -6524,7 +6524,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
),
ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" {
~ ami = (sensitive) # forces replacement
~ ami = (sensitive value) # forces replacement
id = "i-02ae66f368e8518a9"
}
`,
Expand Down Expand Up @@ -6567,7 +6567,7 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
ExpectedOutput: ` # test_instance.example must be replaced
-/+ resource "test_instance" "example" {
~ conn_info = { # forces replacement
~ password = (sensitive)
~ password = (sensitive value)
# (1 unchanged attribute hidden)
}
id = "i-02ae66f368e8518a9"
Expand Down Expand Up @@ -6824,7 +6824,7 @@ func TestOutputChanges(t *testing.T) {
},
`
~ a = 1 -> 2
~ b = (sensitive)
~ b = (sensitive value)
~ c = false -> true`,
},
}
Expand Down
2 changes: 1 addition & 1 deletion internal/repl/format.go
View file
Expand Up @@ -18,7 +18,7 @@ func FormatValue(v cty.Value, indent int) string {
return "(known after apply)"
}
if v.HasMark(marks.Sensitive) {
return "(sensitive)"
return "(sensitive value)"
}
if v.IsNull() {
ty := v.Type()
Expand Down
4 changes: 2 additions & 2 deletions internal/repl/format_test.go
View file
Expand Up @@ -171,8 +171,8 @@ EOT_`,
`toset([])`,
},
{
cty.StringVal("sensitive value").Mark(marks.Sensitive),
"(sensitive)",
cty.StringVal("a sensitive value").Mark(marks.Sensitive),
"(sensitive value)",
},
}

Expand Down
4 changes: 2 additions & 2 deletions website/docs/language/expressions/function-calls.mdx
View file
Expand Up @@ -63,11 +63,11 @@ the `keys()` function will result in a list that is sensitive:
```shell
> local.baz
{
"a" = (sensitive)
"a" = (sensitive value)
"b" = "dog"
}
> keys(local.baz)
(sensitive)
(sensitive value)
```

## When Terraform Calls Functions
Expand Down
2 changes: 1 addition & 1 deletion website/docs/language/expressions/references.mdx
View file
Expand Up @@ -292,7 +292,7 @@ Note that unlike `count`, splat expressions are _not_ directly applicable to res

When defining the schema for a resource type, a provider developer can mark
certain attributes as _sensitive_, in which case Terraform will show a
placeholder marker `(sensitive)` instead of the actual value when rendering
placeholder marker `(sensitive value)` instead of the actual value when rendering
a plan involving that attribute.

A provider attribute marked as sensitive behaves similarly to an
Expand Down
6 changes: 3 additions & 3 deletions website/docs/language/functions/nonsensitive.mdx
View file
Expand Up @@ -91,11 +91,11 @@ the local value `mixed_content`, with a valid JSON string assigned to

```
> var.mixed_content_json
(sensitive)
(sensitive value)
> local.mixed_content
(sensitive)
(sensitive value)
> local.mixed_content["password"]
(sensitive)
(sensitive value)
> nonsensitive(local.mixed_content["username"])
"zqb"
> nonsensitive("clear")
Expand Down

0 comments on commit f7198e2

Please sign in to comment.