core: Adding Sensitive attribute to resource schema

This an effort to address hashicorp/terraform#516.

Adding the Sensitive attribute to the resource schema, opening up the
ability for resource maintainers to mark some fields as sensitive.
Sensitive fields are hidden in the output, and, possibly in the future,
could be encrypted.
This commit is contained in:
Chris Marchesi 2016-05-27 17:00:59 -07:00
parent fcc3736e6b
commit 9d7fb89114
6 changed files with 60 additions and 15 deletions

View File

@ -46,6 +46,7 @@ func resourceAwsDbInstance() *schema.Resource {
"password": &schema.Schema{ "password": &schema.Schema{
Type: schema.TypeString, Type: schema.TypeString,
Optional: true, Optional: true,
Sensitive: true,
}, },
"engine": &schema.Schema{ "engine": &schema.Schema{

View File

@ -147,26 +147,38 @@ func formatPlanModuleExpand(
v = "<computed>" v = "<computed>"
} }
newResource := "" if attrDiff.Sensitive {
v = "<sensitive>"
}
updateMsg := ""
if attrDiff.RequiresNew && rdiff.Destroy { if attrDiff.RequiresNew && rdiff.Destroy {
newResource = opts.Color.Color(" [red](forces new resource)") updateMsg = opts.Color.Color(" [red](forces new resource)")
} else if attrDiff.Sensitive && oldValues {
updateMsg = opts.Color.Color(" [yellow](attribute changed)")
} }
if oldValues { if oldValues {
var u string
if attrDiff.Sensitive {
u = "<sensitive>"
} else {
u = attrDiff.Old
}
buf.WriteString(fmt.Sprintf( buf.WriteString(fmt.Sprintf(
" %s:%s %#v => %#v%s\n", " %s:%s %#v => %#v%s\n",
attrK, attrK,
strings.Repeat(" ", keyLen-len(attrK)), strings.Repeat(" ", keyLen-len(attrK)),
attrDiff.Old, u,
v, v,
newResource)) updateMsg))
} else { } else {
buf.WriteString(fmt.Sprintf( buf.WriteString(fmt.Sprintf(
" %s:%s %#v%s\n", " %s:%s %#v%s\n",
attrK, attrK,
strings.Repeat(" ", keyLen-len(attrK)), strings.Repeat(" ", keyLen-len(attrK)),
v, v,
newResource)) updateMsg))
} }
} }

View File

@ -103,15 +103,21 @@ func (h *UiHook) PreApply(
attrDiff := d.Attributes[attrK] attrDiff := d.Attributes[attrK]
v := attrDiff.New v := attrDiff.New
u := attrDiff.Old
if attrDiff.NewComputed { if attrDiff.NewComputed {
v = "<computed>" v = "<computed>"
} }
if attrDiff.Sensitive {
u = "<sensitive>"
v = "<sensitive>"
}
attrBuf.WriteString(fmt.Sprintf( attrBuf.WriteString(fmt.Sprintf(
" %s:%s %#v => %#v\n", " %s:%s %#v => %#v\n",
attrK, attrK,
strings.Repeat(" ", keyLen-len(attrK)), strings.Repeat(" ", keyLen-len(attrK)),
attrDiff.Old, u,
v)) v))
} }

View File

@ -147,6 +147,12 @@ type Schema struct {
// //
// ValidateFunc currently only works for primitive types. // ValidateFunc currently only works for primitive types.
ValidateFunc SchemaValidateFunc ValidateFunc SchemaValidateFunc
// Sensitive ensures that the attribute's value does not get displayed in
// logs or regular output. It should be used for passwords or other
// secret fields. Futrure versions of Terraform may encrypt these
// values.
Sensitive bool
} }
// SchemaDefaultFunc is a function called to return a default value for // SchemaDefaultFunc is a function called to return a default value for
@ -281,6 +287,11 @@ func (s *Schema) finalizeDiff(
d.RequiresNew = true d.RequiresNew = true
} }
if s.Sensitive {
// Set the Sensitive flag so output is hidden in the UI
d.Sensitive = true
}
return d return d
} }

View File

@ -247,22 +247,30 @@ func (d *ModuleDiff) String() string {
attrDiff := rdiff.Attributes[attrK] attrDiff := rdiff.Attributes[attrK]
v := attrDiff.New v := attrDiff.New
u := attrDiff.Old
if attrDiff.NewComputed { if attrDiff.NewComputed {
v = "<computed>" v = "<computed>"
} }
newResource := "" if attrDiff.Sensitive {
u = "<sensitive>"
v = "<sensitive>"
}
updateMsg := ""
if attrDiff.RequiresNew { if attrDiff.RequiresNew {
newResource = " (forces new resource)" updateMsg = " (forces new resource)"
} else if attrDiff.Sensitive {
updateMsg = " (attribute changed)"
} }
buf.WriteString(fmt.Sprintf( buf.WriteString(fmt.Sprintf(
" %s:%s %#v => %#v%s\n", " %s:%s %#v => %#v%s\n",
attrK, attrK,
strings.Repeat(" ", keyLen-len(attrK)), strings.Repeat(" ", keyLen-len(attrK)),
attrDiff.Old, u,
v, v,
newResource)) updateMsg))
} }
} }
@ -284,6 +292,7 @@ type ResourceAttrDiff struct {
NewRemoved bool // True if this attribute is being removed NewRemoved bool // True if this attribute is being removed
NewExtra interface{} // Extra information for the provider NewExtra interface{} // Extra information for the provider
RequiresNew bool // True if change requires new resource RequiresNew bool // True if change requires new resource
Sensitive bool // True if the data should not be displayed in UI output
Type DiffAttrType Type DiffAttrType
} }

View File

@ -153,6 +153,11 @@ func TestModuleDiff_String(t *testing.T) {
New: "bar", New: "bar",
RequiresNew: true, RequiresNew: true,
}, },
"secretfoo": &ResourceAttrDiff{
Old: "foo",
New: "bar",
Sensitive: true,
},
}, },
}, },
}, },
@ -610,4 +615,5 @@ CREATE: nodeA
bar: "foo" => "<computed>" bar: "foo" => "<computed>"
foo: "foo" => "bar" foo: "foo" => "bar"
longfoo: "foo" => "bar" (forces new resource) longfoo: "foo" => "bar" (forces new resource)
secretfoo: "<sensitive>" => "<sensitive>" (attribute changed)
` `