command/jsonplan: Add output change sensitivity

When an output value changes, we have a small amount of information we
can convey about its sensitivity. If either the output was previously
marked sensitive, or is currently marked sensitive in the config, this
is tracked in the output change data.

This commit encodes this boolean in the change struct's
`before_sensitive` and `after_sensitive` fields, in the a way which
matches resource value sensitivity. Since we have so little information
to work with, these two values will always be booleans, and always equal
each.

This is logically consistent with how else we want to obscure sensitive
data: a changing output which was or is marked sensitive should not have
the value shown in human-readable output.
This commit is contained in:
Alisdair McDiarmid 2021-03-26 19:21:40 -04:00
parent 63613ca1b0
commit 5e30d58dc2
9 changed files with 43 additions and 12 deletions

View File

@ -324,13 +324,28 @@ func (p *plan) marshalOutputChanges(changes *plans.Changes) error {
}
}
// The only information we have in the plan about output sensitivity is
// a boolean which is true if the output was or is marked sensitive. As
// a result, BeforeSensitive and AfterSensitive will be identical, and
// either false or true.
outputSensitive := cty.False
if oc.Sensitive {
outputSensitive = cty.True
}
sensitive, err := ctyjson.Marshal(outputSensitive, outputSensitive.Type())
if err != nil {
return err
}
a, _ := ctyjson.Marshal(afterUnknown, afterUnknown.Type())
c := change{
Actions: actionString(oc.Action.String()),
Before: json.RawMessage(before),
After: json.RawMessage(after),
AfterUnknown: a,
Actions: actionString(oc.Action.String()),
Before: json.RawMessage(before),
After: json.RawMessage(after),
AfterUnknown: a,
BeforeSensitive: json.RawMessage(sensitive),
AfterSensitive: json.RawMessage(sensitive),
}
p.OutputChanges[oc.Addr.OutputValue.Name] = c

View File

@ -140,7 +140,9 @@
],
"before": null,
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"configuration": {

View File

@ -81,7 +81,9 @@
],
"before": null,
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"prior_state": {

View File

@ -61,7 +61,9 @@
],
"before": "bar",
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"prior_state": {

View File

@ -181,7 +181,9 @@
],
"before": null,
"after": "baz",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"configuration": {

View File

@ -98,7 +98,9 @@
],
"before": "bar",
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"prior_state": {

View File

@ -140,7 +140,9 @@
],
"before": null,
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"configuration": {

View File

@ -140,7 +140,9 @@
],
"before": null,
"after": "bar",
"after_unknown": false
"after_unknown": false,
"before_sensitive": false,
"after_sensitive": false
}
},
"configuration": {

View File

@ -60,7 +60,9 @@
],
"before": null,
"after": "boop",
"after_unknown": false
"after_unknown": false,
"before_sensitive": true,
"after_sensitive": true
}
},
"prior_state": {