Removes hashing from GitHub OAuthToken and marks configuration se…

…nsitive
hashicorp · Jul 30, 2020 · 9153409 · 9153409
1 parent 4782313
commit 9153409
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 36 deletions.
diff --git a/aws/resource_aws_codepipeline.go b/aws/resource_aws_codepipeline.go
@@ -1,12 +1,9 @@
 package aws
 
 import (
-	"crypto/sha256"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"log"
-	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/codepipeline"
@@ -109,10 +106,11 @@ func resourceAwsCodePipeline() *schema.Resource {
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"configuration": {
-										Type:             schema.TypeMap,
-										Optional:         true,
-										Elem:             &schema.Schema{Type: schema.TypeString},
-										DiffSuppressFunc: suppressCodePipelineStageActionConfiguration,
+										Type:     schema.TypeMap,
+										Optional: true,
+										// Some configuration types can contain sensitive values, such as a GitHub OAuthToken
+										Sensitive: true,
+										Elem:      &schema.Schema{Type: schema.TypeString},
 									},
 									"category": {
 										Type:     schema.TypeString,
@@ -425,8 +423,7 @@ func flattenAwsCodePipelineStageActions(si int, actions []*codepipeline.ActionDe
 				if _, ok := config[CodePipelineGitHubActionConfigurationOAuthToken]; ok {
 					// The AWS API returns "****" for the OAuthToken value. Pull the value from the configuration.
 					addr := fmt.Sprintf("stage.%d.action.%d.configuration.OAuthToken", si, ai)
-					hash := hashCodePipelineGitHubToken(d.Get(addr).(string))
-					config[CodePipelineGitHubActionConfigurationOAuthToken] = hash
+					config[CodePipelineGitHubActionConfigurationOAuthToken] = d.Get(addr).(string)
 				}
 			}
 
@@ -619,28 +616,3 @@ func resourceAwsCodePipelineDelete(d *schema.ResourceData, meta interface{}) err
 
 	return err
 }
-
-func suppressCodePipelineStageActionConfiguration(k, old, new string, d *schema.ResourceData) bool {
-	parts := strings.Split(k, ".")
-	parts = parts[:len(parts)-2]
-	providerAddr := strings.Join(append(parts, "provider"), ".")
-	provider := d.Get(providerAddr).(string)
-
-	if provider == CodePipelineProviderGitHub && strings.HasSuffix(k, CodePipelineGitHubActionConfigurationOAuthToken) {
-		hash := hashCodePipelineGitHubToken(new)
-		return old == hash
-	}
-
-	return false
-}
-
-const codePipelineGitHubTokenHashPrefix = "hash-"
-
-func hashCodePipelineGitHubToken(token string) string {
-	// Without this check, the value was getting encoded twice
-	if strings.HasPrefix(token, codePipelineGitHubTokenHashPrefix) {
-		return token
-	}
-	sum := sha256.Sum256([]byte(token))
-	return codePipelineGitHubTokenHashPrefix + hex.EncodeToString(sum[:])
-}
diff --git a/aws/resource_aws_codepipeline_test.go b/aws/resource_aws_codepipeline_test.go
@@ -53,7 +53,7 @@ func TestAccAWSCodePipeline_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Owner", "lifesum-terraform"),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Repo", "test"),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Branch", "master"),
-					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.OAuthToken", hashCodePipelineGitHubToken(githubToken)),
+					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.OAuthToken", githubToken),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.role_arn", ""),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.run_order", "1"),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.region", ""),
@@ -101,7 +101,7 @@ func TestAccAWSCodePipeline_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Owner", "test-terraform"),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Repo", "test-repo"),
 					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.Branch", "stable"),
-					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.OAuthToken", hashCodePipelineGitHubToken(githubToken)),
+					resource.TestCheckResourceAttr(resourceName, "stage.0.action.0.configuration.OAuthToken", githubToken),
 
 					resource.TestCheckResourceAttr(resourceName, "stage.1.name", "Build"),
 					resource.TestCheckResourceAttr(resourceName, "stage.1.action.#", "1"),