Support for content with sensitive type #742
Description
Use Case
If there is sensitive content included in a file (like a password), I don’t want it to be displayed in the log.
Describe the Solution You Would Like
Support for the Sensitive type in the content:
class secret_within_content {
$secret = Sensitive('mysecret')
concat { '/tmp/example.conf': }
concat::fragment { 'secret' :
target => '/tmp/example.conf',
content => $secret,
}
}
class with_inline_epp {
$secret = Sensitive('mysecret')
$content = inline_epp("secret = <%= $s %>", { s => $secret })
concat { '/tmp/example.conf': }
concat::fragment { 'secret' :
target => '/tmp/example.conf',
content => $content,
}
}
Describe Alternatives You've Considered
The alternative for now it to use show_diff => false, which don’t show any diff at all, but I would like to only remove the data that is sensitive, not the entire diff from the logs
Additional Context
I’ve tried adding Sensitive in fragment.pp on line 47:
46 if versioncmp($clientversion, '6.0') >= 0 and versioncmp($_serverversion, '6.0') >= 0 {
47 assert_type(Optional[Variant[String, Deferred, Sensitive]], $content)
48 } else {
49 assert_type(Optional[String], $content)
50 }
But then there is a warning and the diff still show the sensitive content: Warning: /Concat_fragment[secret]: Unable to mark 'content' as sensitive: content is a parameter and not a property, and cannot be automatically redacted. I would like to offer a pull request on this, but i’m unsure where I would go from here... Is a complete provider has to be written for this to work?