Open gberche-orange opened 6 years ago
Which fields should be marked as sensitive ?
Data source are here to be used for other provider and computed fields are not shown (and anyway they would potentially leak in other provider if not marked as sensitive).
Using generic resource is already a failure because credentials are written directly in tf file and i chose to follow vault on this one: https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/resource_generic_secret.go#L35-L44
Others resources doesn't store any secret in their fields.
Which fields should be marked as sensitive ?
The datasource fields such as credhub_value.value
credhub_json.json
credhub_password.password
...
This mimics the behavior opted for AWS secrets manager datasource https://github.com/terraform-providers/terraform-provider-aws/blob/b1a915bcbeb2566a8f81b37bc6c62e890c36bb5f/aws/data_source_aws_secretsmanager_secret_version.go#L22-L25
True that vault provider does not seem yet to mark data source fields as sensitive.
I understand that marking sensitive datasource fields as sensitive
might help future version of vault to be smarter in handling these values such as encrypting these fields in the backend.
I agree this might not be a priority.
Sensitive fields might benefit from being marked as sensitive would redact them in logs/outputs