Values looked up with eyaml_lookup_key are returned as strings. This reveals them in console, reports, etc. To prevent this the values should be wrapped in Sensitive type. Currently automatic lookup files when class parameter is of type Sensitive[String] and value looked up is of type String. This leads people to suggest manually converting each sensitive value to Sensitive type via lookup_options:
While this kind of does the job, it's fragile and repetitious. While I can imagine use case where someone would want encrypted values revealed in diffs, I'd guess that for most use-cases the value looked up by eyaml_lookup_key should be wrapped in Sensitive.
I've managed to hack together the following function in my environment to do it:
But this would be better done in eyaml_lookup_key.rb to directly store wrapped values into the cache.
In order to not break backward compatibility the opt-in could be stored in options hash as e.g. convert_to_sensitive boolean option. To make it fancier, the values of this opt-in could be:
- none: current behaviour
- encrypted: only wrap encrypted values
- all: wrap all values
Use case for this is when someone sets eyaml_lookup_key and its options in defaults and scatters encrypted values throughout layers (i.e. when there's no one dedicated layer for sensitive keys) while accepting performance hit of lookup function vs data_hash.
Another option would be to make Puppet automatically convert String to Sensitive[String] to make automatic class parameter lookup work. This will however still reveal values in e.g. puppet lookup.