When using hiera's convert_to Sensitive, the explain output that is turned on by --debug will include the clear text looked up value as the explainer traces the lookup. Later this value is converted to Sensitive.
The desire is that such values would be redacted in the log.
When puppet agent is run with --debug option, passwords get logged in plain-text, although the passwords are stored encrypted in the yaml.
2019-05-03 15:58:36 -0700 Puppet (debug): Lookup of 'my_con_pwd'
Searching for "my_con_pwd"
Global Data Provider (hiera configuration version 3)
Using configuration "/home/tstuser/puppet/hiera.yaml"
Hierarchy entry "eyaml"
Original path: "defaults"
No such key: "my_con_pwd"
Original path: "my_prod_config."
Found key: "my_con_pwd" value: "MyT3stP"
The password is not redacted even if lookup_options is added for this data, with convert_to: Sensitive –
The lookup_options is set in common.yaml like:
Puppet seems to detect that this data is sensitive, because it displays the following message after the lookup:
Applying convert_to lookup_option with arguments [Sensitive]
But the value is not redacted, as shown in the log snippet.
If lookup_option is configured as shown above but this data is interpolated for another setting in a list, like:
then the following error occurs:
2019-05-03 16:11:26 -0700 Puppet (err): Evaluation Error: Error while evaluating a Function Call, Lookup of key failed: The convert_to lookup_option for key 'my_con_pwd' raised error: undefined method `call_function' for #<Hiera::Scope:0x0000000003a1cab8>
Please let me know if there is any other way to redact passwords when --debug is used. Although this occurs only when --debug is passed, it is not acceptable security practice.