Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Duplicate
-
None
-
None
-
None
-
None
-
Coremunity
-
Needs Assessment
Description
The compiler evaluates interpolated sensitive values differently than non-interpolated ones, which is surprising:
$secret = Sensitive('s3cret') |
notify { 'a': message => $secret } |
notify { 'b': message => "${secret}" } |
The first resource evaluates to:
"parameters": {
|
"message": "s3cret"
|
},
|
"sensitive_parameters": [
|
"message"
|
]
|
While the second evaluates to:
"parameters": {
|
"message": "Sensitive [value redacted]"
|
}
|
Note the second one is lossy, as we no longer know what the original value was.
It would be preferable for the compiler to retain the sensitive data type during interpolation (when evaluating the concatenate expression). So for example "foo $secret" would produce a sensitive value whose unwrapped value was "foo s3cret".
