From b91bd6274764ff94c13122f60084a6625bed1fe6 Mon Sep 17 00:00:00 2001 From: Martin Atkins Date: Wed, 4 Oct 2017 11:38:04 -0700 Subject: [PATCH] config/configschema: Sensitive flag for attributes We don't currently have any need for this information, but we're propagating it out of helper/schema here pre-emptively so that once we later have a use for it we will not need to rebuild the providers to gain access to it. The long-term expected use-case for this is to have Terraform Core use static analysis techniques to trace the path of sensitive data through interpolations so that intermediate results can be flagged as sensitive too, but we have a lot more work to do before such a thing would actually be possible. --- config/configschema/schema.go | 9 +++++++++ helper/schema/core_schema.go | 9 +++++---- helper/schema/core_schema_test.go | 19 +++++++++++++++++++ 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/config/configschema/schema.go b/config/configschema/schema.go index edddcdf81..9a8ee550a 100644 --- a/config/configschema/schema.go +++ b/config/configschema/schema.go @@ -40,6 +40,15 @@ type Attribute struct { // provider rather than from configuration. If combined with Optional, // then the config may optionally provide an overridden value. Computed bool + + // Sensitive, if set to true, indicates that an attribute may contain + // sensitive information. + // + // At present nothing is done with this information, but callers are + // encouraged to set it where appropriate so that it may be used in the + // future to help Terraform mask sensitive information. (Terraform + // currently achieves this in a limited sense via other mechanisms.) + Sensitive bool } // NestedBlock represents the embedding of one block within another. diff --git a/helper/schema/core_schema.go b/helper/schema/core_schema.go index b5f41dd22..c1c7d8e51 100644 --- a/helper/schema/core_schema.go +++ b/helper/schema/core_schema.go @@ -56,10 +56,11 @@ func (m schemaMap) CoreConfigSchema() *configschema.Block { // whose elem is a whole resource. func (s *Schema) coreConfigSchemaAttribute() *configschema.Attribute { return &configschema.Attribute{ - Type: s.coreConfigSchemaType(), - Optional: s.Optional, - Required: s.Required, - Computed: s.Computed, + Type: s.coreConfigSchemaType(), + Optional: s.Optional, + Required: s.Required, + Computed: s.Computed, + Sensitive: s.Sensitive, } } diff --git a/helper/schema/core_schema_test.go b/helper/schema/core_schema_test.go index 097bab360..63e76c988 100644 --- a/helper/schema/core_schema_test.go +++ b/helper/schema/core_schema_test.go @@ -215,6 +215,25 @@ func TestSchemaMapCoreConfigSchema(t *testing.T) { }, }, }, + "sensitive": { + map[string]*Schema{ + "string": { + Type: TypeString, + Optional: true, + Sensitive: true, + }, + }, + &configschema.Block{ + Attributes: map[string]*configschema.Attribute{ + "string": { + Type: cty.String, + Optional: true, + Sensitive: true, + }, + }, + BlockTypes: map[string]*configschema.NestedBlock{}, + }, + }, } for name, test := range tests {