nonsensitive: no longer produces error when applied to nonsensitive values #33856
Conversation
|
|
joaocc
changed the title
joaocc
changed the title
|
Thanks for this submission. I've added it to the triage queue. Just a reminder that we will not be able to review / merge unless the CLA is signed. Thanks! |
| @@ -73,8 +73,8 @@ due to an inappropriate call to `nonsensitive` in your module, that's a bug in | |||
| your module and not a bug in Terraform itself. | |||
| **Use this function sparingly and only with due care.** | |||
|
|
|||
| `nonsensitive` will return an error if you pass a value that isn't marked | |||
| as sensitive, because such a call would be redundant and potentially confusing | |||
| `nonsensitive` will no longer return an error if you pass a value that isn't marked | |||
There was a problem hiding this comment.
I think we don't need to clarify this with no longer as new readers won't have the context that this used to not work.
Let's change this to:
nonsensitivewill make no changes to values that aren't marked as sensitive, even though such a call may be redundant and potentially confusing.
There was a problem hiding this comment.
Changed as per @liamcervante indication. Thx
liamcervante
added
the
1.6-backport
liamcervante
removed
the
1.6-backport
|
The cutoff for |
|
@liamcervante any news on when this is planned for merge and release? |
|
Hi @joaocc , apologies for the delay. Could you update the documentation to address my comments? Thanks! |
|
Updated as per instructions, and rebased on main. Thx |
|
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch. |
|
This is merged and the CHANGELOG updated, will be released in Terraform v1.7.0. Thanks @joaocc for your contribution! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
#28222 and #31693 and other issues describe a set of situations where users are effectively locked into a situation where they can't use derivations of collections of objects where some fields are marked as sensitive into for_each, and are also unable to use nonsensitive because some of the values are indeed nonsensitive already. It also applies to arrays of elements where some are marked as sensitive while others are not.
In these hybrid situations, there doesn't seem to be an way to mark everything as nonsensitive.
The behaviour in 1.5.x causes an error if nonsensitive is called on a value that is not marked as "sensitive".
The documentation at https://developer.hashicorp.com/terraform/language/functions/nonsensitive offers a rationale
Also, this behaviour is not consistent with that of sensitive, where sensitive can be applied to any value, regardless of whether it is already sensitive or not.
However, from the sheer amount of issues complaining about the implications of this decision, this well-intentioned decision is causing unintended pain.
The current behaviour is not only interfering with developer decision of determining what is and what isn't sensitive, but also doing that when there is not even a security risk (fields are already nonsensitive). The workarounds proposed force developers away from simpler and more straightforward solutions, more difficult to understand and maintain, without any tangible benefit in terms of security.
For this reason, this PR proposes that nonsensitive does what it is meant to do, which is to allow developers to mark fields as nonsensitive, leaving softer aspects of maintainability and maintainer confusion to be decided by each developer.
This PR should not cause breaking behaviours, as it is enabling a behaviour that wasn't allowed before.
Fixes #
#31693
Relates #
#32880
#32828
#31646
#31609
#31609
#29744
#28222 (comment)
#28222
Target Release
1.5.x
Draft CHANGELOG entry
BUG FIXES