config/configschema: Sensitive flag for attributes

We don't currently have any need for this information, but we're propagating it out of helper/schema here pre-emptively so that once we later have a use for it we will not need to rebuild the providers to gain access to it. The long-term expected use-case for this is to have Terraform Core use static analysis techniques to trace the path of sensitive data through interpolations so that intermediate results can be flagged as sensitive too, but we have a lot more work to do before such a thing would actually be possible.
2017-10-04 11:38:04 -07:00 · 2017-10-04 11:38:04 -07:00 · b91bd62747
parent 69650b0bbc
commit b91bd62747
3 changed files with 33 additions and 4 deletions
--- a/config/configschema/schema.go
+++ b/config/configschema/schema.go
@ -40,6 +40,15 @@ type Attribute struct {
 	// provider rather than from configuration. If combined with Optional,
 	// then the config may optionally provide an overridden value.
 	Computed bool
+
+	// Sensitive, if set to true, indicates that an attribute may contain
+	// sensitive information.
+	//
+	// At present nothing is done with this information, but callers are
+	// encouraged to set it where appropriate so that it may be used in the
+	// future to help Terraform mask sensitive information. (Terraform
+	// currently achieves this in a limited sense via other mechanisms.)
+	Sensitive bool
 }

 // NestedBlock represents the embedding of one block within another.
--- a/helper/schema/core_schema.go
+++ b/helper/schema/core_schema.go
@ -56,10 +56,11 @@ func (m schemaMap) CoreConfigSchema() *configschema.Block {
 // whose elem is a whole resource.
 func (s *Schema) coreConfigSchemaAttribute() *configschema.Attribute {
 	return &configschema.Attribute{
-		Type:     s.coreConfigSchemaType(),
-		Optional: s.Optional,
-		Required: s.Required,
-		Computed: s.Computed,
+		Type:      s.coreConfigSchemaType(),
+		Optional:  s.Optional,
+		Required:  s.Required,
+		Computed:  s.Computed,
+		Sensitive: s.Sensitive,
 	}
 }

--- a/helper/schema/core_schema_test.go
+++ b/helper/schema/core_schema_test.go
@ -215,6 +215,25 @@ func TestSchemaMapCoreConfigSchema(t *testing.T) {
 				},
 			},
 		},
+		"sensitive": {
+			map[string]*Schema{
+				"string": {
+					Type:      TypeString,
+					Optional:  true,
+					Sensitive: true,
+				},
+			},
+			&configschema.Block{
+				Attributes: map[string]*configschema.Attribute{
+					"string": {
+						Type:      cty.String,
+						Optional:  true,
+						Sensitive: true,
+					},
+				},
+				BlockTypes: map[string]*configschema.NestedBlock{},
+			},
+		},
 	}

 	for name, test := range tests {