From 5e30d58dc2d06a6b55354dba5cf84b0d85c14d24 Mon Sep 17 00:00:00 2001
From: Alisdair McDiarmid <alisdair@users.noreply.github.com>
Date: Fri, 26 Mar 2021 19:21:40 -0400
Subject: [PATCH] command/jsonplan: Add output change sensitivity

When an output value changes, we have a small amount of information we
can convey about its sensitivity. If either the output was previously
marked sensitive, or is currently marked sensitive in the config, this
is tracked in the output change data.

This commit encodes this boolean in the change struct's
`before_sensitive` and `after_sensitive` fields, in the a way which
matches resource value sensitivity. Since we have so little information
to work with, these two values will always be booleans, and always equal
each.

This is logically consistent with how else we want to obscure sensitive
data: a changing output which was or is marked sensitive should not have
the value shown in human-readable output.
---
 command/jsonplan/plan.go                      | 23 +++++++++++++++----
 .../show-json/basic-create/output.json        |  4 +++-
 .../show-json/basic-delete/output.json        |  4 +++-
 .../show-json/basic-update/output.json        |  4 +++-
 .../testdata/show-json/modules/output.json    |  4 +++-
 .../multi-resource-update/output.json         |  4 +++-
 .../provider-version-no-config/output.json    |  4 +++-
 .../show-json/provider-version/output.json    |  4 +++-
 .../show-json/sensitive-values/output.json    |  4 +++-
 9 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/command/jsonplan/plan.go b/command/jsonplan/plan.go
index 07d7f46b9..5a828ccce 100644
--- a/command/jsonplan/plan.go
+++ b/command/jsonplan/plan.go
@@ -324,13 +324,28 @@ func (p *plan) marshalOutputChanges(changes *plans.Changes) error {
 			}
 		}
 
+		// The only information we have in the plan about output sensitivity is
+		// a boolean which is true if the output was or is marked sensitive. As
+		// a result, BeforeSensitive and AfterSensitive will be identical, and
+		// either false or true.
+		outputSensitive := cty.False
+		if oc.Sensitive {
+			outputSensitive = cty.True
+		}
+		sensitive, err := ctyjson.Marshal(outputSensitive, outputSensitive.Type())
+		if err != nil {
+			return err
+		}
+
 		a, _ := ctyjson.Marshal(afterUnknown, afterUnknown.Type())
 
 		c := change{
-			Actions:      actionString(oc.Action.String()),
-			Before:       json.RawMessage(before),
-			After:        json.RawMessage(after),
-			AfterUnknown: a,
+			Actions:         actionString(oc.Action.String()),
+			Before:          json.RawMessage(before),
+			After:           json.RawMessage(after),
+			AfterUnknown:    a,
+			BeforeSensitive: json.RawMessage(sensitive),
+			AfterSensitive:  json.RawMessage(sensitive),
 		}
 
 		p.OutputChanges[oc.Addr.OutputValue.Name] = c
diff --git a/command/testdata/show-json/basic-create/output.json b/command/testdata/show-json/basic-create/output.json
index 01a26d09b..017054bcc 100644
--- a/command/testdata/show-json/basic-create/output.json
+++ b/command/testdata/show-json/basic-create/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/basic-delete/output.json b/command/testdata/show-json/basic-delete/output.json
index f9efd426f..6b29d785f 100644
--- a/command/testdata/show-json/basic-delete/output.json
+++ b/command/testdata/show-json/basic-delete/output.json
@@ -81,7 +81,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/basic-update/output.json b/command/testdata/show-json/basic-update/output.json
index 8a2f4de6f..a6779801f 100644
--- a/command/testdata/show-json/basic-update/output.json
+++ b/command/testdata/show-json/basic-update/output.json
@@ -61,7 +61,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/modules/output.json b/command/testdata/show-json/modules/output.json
index b78a9d1ab..445f269c2 100644
--- a/command/testdata/show-json/modules/output.json
+++ b/command/testdata/show-json/modules/output.json
@@ -181,7 +181,9 @@
             ],
             "before": null,
             "after": "baz",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/multi-resource-update/output.json b/command/testdata/show-json/multi-resource-update/output.json
index a0418499f..564a4d713 100644
--- a/command/testdata/show-json/multi-resource-update/output.json
+++ b/command/testdata/show-json/multi-resource-update/output.json
@@ -98,7 +98,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {
diff --git a/command/testdata/show-json/provider-version-no-config/output.json b/command/testdata/show-json/provider-version-no-config/output.json
index 616376331..7e0b841f8 100644
--- a/command/testdata/show-json/provider-version-no-config/output.json
+++ b/command/testdata/show-json/provider-version-no-config/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/provider-version/output.json b/command/testdata/show-json/provider-version/output.json
index df1540e31..eef936ec3 100644
--- a/command/testdata/show-json/provider-version/output.json
+++ b/command/testdata/show-json/provider-version/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {
diff --git a/command/testdata/show-json/sensitive-values/output.json b/command/testdata/show-json/sensitive-values/output.json
index b694fee75..51105382a 100644
--- a/command/testdata/show-json/sensitive-values/output.json
+++ b/command/testdata/show-json/sensitive-values/output.json
@@ -60,7 +60,9 @@
             ],
             "before": null,
             "after": "boop",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": true,
+            "after_sensitive": true
         }
     },
     "prior_state": {