Investigate UX when `Deferred` and/or `Sensitive` wrapping of `conjur::secret` function is not done

[sgnn7]

We don't have a good idea what the UX looks like when the user forgets to wrap our conjur::secret function with Sensitive(Deferred()) block. This issue is to ensure we have acceptable UX for it.

AC:

• [x] Investigate (and possibly open an issue) for UX when Sensitive() is forgotten around conjur::secret
• [x] Investigate (and possibly open an issue) for UX when Deferred() is forgotten around conjur::secret
• [x] Investigate (and possibly open an issue) for UX when Sensitive(Deferred()) are forgotten around conjur::secret

Original issue: #114

[sgnn7]

Results

Expected usage (Sensitive(Deferred(conjur::secret, ['...'])))

Notice: Writing secret Sensitive [value redacted] to /tmp/test.pem... 
Notice: /Stage[main]/Main/Node[default]/Notify[Writing secret Sensitive [value redacted] to /tmp/test.pem...]/message: defined 'message' as 'Writing secret Sensitive [value redacted] to /tmp/test.pem...'
Notice: Writing secret to /tmp/test.pem...
Notice: /Stage[main]/Main/Node[default]/Notify[Writing secret to /tmp/test.pem...]/message: defined 'message' as 'Writing secret to /tmp/test.pem...'    

Sensitive() is forgotten (Deferred(conjur::secret, ['...']))

Notice: /Stage[main]/Main/Node[default]/Notify[Grabbing 'inventory/db-password' secret...]/message: defined 'message' as 'Grabbing \'inventory/db-password\' secret...'
Notice: Writing secret Deferred({'name' => 'conjur::secret', 'arguments' => ['inventory/db-password']}) to /tmp/test.pem...
Notice: /Stage[main]/Main/Node[default]/Notify[Writing secret Deferred({'name' => 'conjur::secret', 'arguments' => ['inventory/db-password']}) to /tmp/test.pem...]/message: defined 'message' as 'Writing secret Deferred({\'name\' => \'conjur::secret\', \'arguments\' => [\'inven
tory/db-password\']}) to /tmp/test.pem...'
Notice: Writing secret to /tmp/test.pem...
Notice: /Stage[main]/Main/Node[default]/Notify[Writing secret to /tmp/test.pem...]/message: defined 'message' as 'Writing secret to /tmp/test.pem...'      

Deferred() is forgotten (Sensitive(conjur::secret('...')))

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.LoadError: (LoadError) no such file to load -- conjur/puppet_module/config
Error: Could not retrieve catalog; skipping run

Sensitive(Deferred()) are forgotten (conjur::secret('...'))

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.LoadError: (LoadError) no such file to load -- conjur/puppet_module/config
Error: Could not retrieve catalog; skipping run

This probably warrants a troubleshooting section. CC @izgeri

[izgeri]

@sgnn7 it looks like nothing really errors on missing Sensitive - is that right?

Is there anything we can add to make it fail more gracefully on missing Deferred?

We can add a Troubleshooting section to the README.

[sgnn7]

it looks like nothing really errors on missing Sensitive - is that right?

No errors but value of params is not redacted in logs

Is there anything we can add to make it fail more gracefully on missing Deferred?

Unknown - we may be able to figure out it's a server-side request through some hackery and print an error but I'm not sure it's trivial

We can add a Troubleshooting section to the README.

This is definitely the approach I think we should take for the first handling of these changes.

[sgnn7]

Stories are now split. The documentation needed for Sensitive is now in story https://github.com/cyberark/conjur-puppet/issues/198. Closing.