Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store all sensitive marks for non-root module outputs in state #32891

Merged
merged 3 commits into from
Mar 21, 2023
Merged

Store all sensitive marks for non-root module outputs in state #32891

merged 3 commits into from
Mar 21, 2023

Conversation

jbardin
Copy link
Member

@jbardin jbardin commented Mar 20, 2023

The outputs from non-root modules which contained nested sensitive values were being treated as entirely sensitive when evaluating them from state during apply. In order to have detailed information about sensitivity from non-root module outputs, we need to store the value along with all sensitive marks. This aligns with the usage of state being the in-memory store for other temporary values like locals and variables. Also like locals and variables, these outputs are not serialized to state storage, so will not be be affected by the inclusion of the marks.

Fixes #32880

@jbardin
store non-root sensitive outputs in state
425c6be 
Module outputs are evaluated from state, so in order to have detailed
information about sensitivity from non-root module outputs, we need to
store the value along with all sensitive marks. This aligns with the
usage of state being the in-memory store for other temporary values like
locals and variables.
@jbardin
remove old comments
d33e627
@jbardin
test that module outputs maintain sensitive marks
defd7f0
@jbardin jbardin added the 1.4-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label Mar 20, 2023
@jbardin jbardin requested a review from a team March 20, 2023 18:22
@jbardin jbardin merged commit 9504b26 into main Mar 21, 2023
@jbardin jbardin deleted the jbardin/sensitive-mod-outputs branch March 21, 2023 17:59
@github-actions
Copy link

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@teamterraform teamterraform mentioned this pull request Mar 21, 2023
Merged
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alisdair alisdair alisdair approved these changes

Assignees
No one assigned
Labels
1.4-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Since 1.4 output is flagged as sensitive
2 participants
@jbardin @alisdair