command/jsonplan: Add output change sensitivity

When an output value changes, we have a small amount of information we can convey about its sensitivity. If either the output was previously marked sensitive, or is currently marked sensitive in the config, this is tracked in the output change data. This commit encodes this boolean in the change struct's `before_sensitive` and `after_sensitive` fields, in the a way which matches resource value sensitivity. Since we have so little information to work with, these two values will always be booleans, and always equal each. This is logically consistent with how else we want to obscure sensitive data: a changing output which was or is marked sensitive should not have the value shown in human-readable output.
hashicorp · Mar 26, 2021 · 5e30d58 · 5e30d58
1 parent 63613ca
commit 5e30d58
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 12 deletions.
diff --git a/command/jsonplan/plan.go b/command/jsonplan/plan.go
@@ -324,13 +324,28 @@ func (p *plan) marshalOutputChanges(changes *plans.Changes) error {
 			}
 		}
 
+		// The only information we have in the plan about output sensitivity is
+		// a boolean which is true if the output was or is marked sensitive. As
+		// a result, BeforeSensitive and AfterSensitive will be identical, and
+		// either false or true.
+		outputSensitive := cty.False
+		if oc.Sensitive {
+			outputSensitive = cty.True
+		}
+		sensitive, err := ctyjson.Marshal(outputSensitive, outputSensitive.Type())
+		if err != nil {
+			return err
+		}
+
 		a, _ := ctyjson.Marshal(afterUnknown, afterUnknown.Type())
 
 		c := change{
-			Actions:      actionString(oc.Action.String()),
-			Before:       json.RawMessage(before),
-			After:        json.RawMessage(after),
-			AfterUnknown: a,
+			Actions:         actionString(oc.Action.String()),
+			Before:          json.RawMessage(before),
+			After:           json.RawMessage(after),
+			AfterUnknown:    a,
+			BeforeSensitive: json.RawMessage(sensitive),
+			AfterSensitive:  json.RawMessage(sensitive),
 		}
 
 		p.OutputChanges[oc.Addr.OutputValue.Name] = c

diff --git a/command/testdata/show-json/basic-create/output.json b/command/testdata/show-json/basic-create/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {

diff --git a/command/testdata/show-json/basic-delete/output.json b/command/testdata/show-json/basic-delete/output.json
@@ -81,7 +81,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {

diff --git a/command/testdata/show-json/basic-update/output.json b/command/testdata/show-json/basic-update/output.json
@@ -61,7 +61,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {

diff --git a/command/testdata/show-json/modules/output.json b/command/testdata/show-json/modules/output.json
@@ -181,7 +181,9 @@
             ],
             "before": null,
             "after": "baz",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {

diff --git a/command/testdata/show-json/multi-resource-update/output.json b/command/testdata/show-json/multi-resource-update/output.json
@@ -98,7 +98,9 @@
             ],
             "before": "bar",
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "prior_state": {

diff --git a/command/testdata/show-json/provider-version-no-config/output.json b/command/testdata/show-json/provider-version-no-config/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {

diff --git a/command/testdata/show-json/provider-version/output.json b/command/testdata/show-json/provider-version/output.json
@@ -140,7 +140,9 @@
             ],
             "before": null,
             "after": "bar",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": false,
+            "after_sensitive": false
         }
     },
     "configuration": {

diff --git a/command/testdata/show-json/sensitive-values/output.json b/command/testdata/show-json/sensitive-values/output.json
@@ -60,7 +60,9 @@
             ],
             "before": null,
             "after": "boop",
-            "after_unknown": false
+            "after_unknown": false,
+            "before_sensitive": true,
+            "after_sensitive": true
         }
     },
     "prior_state": {